locked
ADFS AD Account Lockout Source IP Address RRS feed

  • Question

  • Is there any way to get the source IP address of a bad password attempt against ADFS? I'm running ADFS 3.0 on Windows 2012 R2 and have enabled ADFS Auditing/Tracing and this info doesn't seem to get logged anywhere. Am I missing something?
    Wednesday, December 16, 2015 4:43 AM

Answers

All replies

  • Here's a guide for you to help with troubleshooting https://gallery.technet.microsoft.com/Account-Lockout-Troubleshoo-542cb9ff/ or try Netwrix Account Lockout Examiner free tool.

    Best Regards,

    Jeff

    Netwrix Technical Evangelist

    Netwrix Blog  Twitter:   LinkedIn:   Facebook:

    Netwrix Auditor  is an IT audit software that maximizes visibility of IT infrastructure changes and data access. The product provides actionable audit data about who changed what, when and where and who has access to what.

    Tuesday, January 26, 2016 4:17 PM
  • A failed logon attempt can give you the clue and find out the actual culprit (computer/IP address) of such occurrence. You can walk through this informative article which covers this concern in more depth : http://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
    Thursday, January 28, 2016 10:34 AM
  • Have a look here: http://blogs.technet.com/b/pie/archive/2016/02/02/track-down-the-source-of-adfs-lockouts.aspx

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, February 2, 2016 10:44 PM
  • The article was very useful, but sadly it doesn't seem to hold true in my environment.

    I see the following event codes logged when I fail an auth attempt:

    SourceName=AD FS Auditing
    EventCode=411

    SourceName=Microsoft Windows security auditing.
    EventCode=4625

    SourceName=Microsoft Windows security auditing.
    EventCode=4771

    The first two are from the ADFS server, the last from the DC.  These entries do not contain the remote IP address and the DC logs the ADFS servers IP.

    Monday, March 7, 2016 4:12 PM
  • There was an issue with the IP logging under certain condition. Please make sure you have the latest binaries on your ADFS and on your WAP (Windows Updates). Hopefully that will fix this issue.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, March 8, 2016 6:28 PM