locked
AD FS Account locked out - Client IP missing RRS feed

  • Question

  • ADFS ist running on Server 2012 r2. We have serveral ID 411 events in the security log. Normally this does not affect our AD, as the Extranet Logout feature is enabled. But sometimes the Client-IP is missing in the event (Client-IP ::1 is logged instead of the IPv4 address). Whenever this occurs, the user is also locked out in Active Directory.
    Any idea how to solve this issue?

    Wednesday, November 22, 2017 9:19 AM

Answers

All replies

  • Check the below articles:

    AD Fun Services – Track down the source of ADFS lockouts:
    https://blogs.technet.microsoft.com/pie/2016/02/02/ad-fun-services-track-down-the-source-of-adfs-lockouts/

    AD FS logs don't contain client IP address for account lockout scenarios in Windows Server 2012 R2:
    https://support.microsoft.com/en-us/help/3134787/ad-fs-logs-don-t-contain-client-ip-address-for-account-lockout-scenari

    Also, check if there are any passwords saved locally, as this could be the issue.

    Hope this helps!


    Solution for Active Directory auditing, monitoring and management.

    • Proposed as answer by DarrenniteBanned Thursday, November 23, 2017 12:46 PM
    • Marked as answer by tomluna Tuesday, November 28, 2017 8:37 AM
    Thursday, November 23, 2017 5:30 AM
  • Make sure you have deployed all Windows Updates as there were some bugs corrected on Windows Server 2012 ADFS for this very same situation.

    @ortizsimon, you don't like my blog? :) Nor the KB? Those don't look like SPAM...


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by tomluna Tuesday, November 28, 2017 8:38 AM
    Friday, November 24, 2017 2:00 PM
  • Thanks for your answers and sorry for the delay ...

    The occurence of the lockouts disappeared meanwhile, the reason why is unknown. I had worked through the first article (AD Fun Services) before I started this thread, so I could identify the missing IP adress as the reason for the lockouts (technically the adress was not really missing as "::1" was logged - whatever this means).

    The server was also fully patched. Nevertheless I tried to install the KB3134222 patch, but it was not applicable.

    So that's the situation today, I hope it remains.

    Tuesday, November 28, 2017 8:21 AM
  • ok ... ::1 is localhost
    Tuesday, November 28, 2017 8:59 AM