none
User AD Accounts are getting locked out by ADFS Server.

    Question

  • We are seeing multiple tickets where users are getting locked out and the source of the account lockouts are ADFS servers. Have enabled the debug logs but couldn't find anything specific to the lockout.

    The following is the log.  Please let me know what could be the cause of the lockout.

    Token validation failed. 

     

    Additional Data

     

    Token Type:

    %Error message:

    rad03@xxxx.xxx.com-The user name or password is incorrect

     

    Exception details:

    System.IdentityModel.Tokens.SecurityTokenValidationException: rad03@xxxx.xxxx.com ---> System.ComponentModel.Win32Exception: The user name or password is incorrect

       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

       --- End of inner exception stack trace ---

       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

     

    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect

       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

    Wednesday, March 1, 2017 2:30 AM

Answers

  • Hi,
    Generally, common causes for Account Lockouts include:
    • Stale Sessions: a user may be logged on to more than one computer, those other logons may be using old credentials that are cached and being used by some applications.
    • Applications: numerous applications either cache the users’ credentials or have credentials explicitly defined in their configuration.
    • Windows Services: Windows services by default are configured to start using the local system account, however, windows services can be configured to use a specific account, typically referred to as service accounts.
    • Scheduled Tasks: the windows task scheduler requires credentials for any task that is configured to run whether or not a user is logged on to the computer, specific tasks may be configured to use domain credentials.
    • Persistent drive mapping: drive mappings can be configured to use alternate credentials to connect to a shared resource.
    • Stored usernames and passwords: windows can store username and passwords for remote resources, these credentials can be viewed in the credential manager control panel applet.
    • Mobile Devices: mobile devices can have stored credentials for accessing remote resources such as email.
    Since it is happening on ADFS, not sure if the causes are suitable for you, and in this case, I would also suggest you post the question in ADFS forum.
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=ADFS
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 1, 2017 7:20 AM
    Moderator

All replies

  • Hi,
    Generally, common causes for Account Lockouts include:
    • Stale Sessions: a user may be logged on to more than one computer, those other logons may be using old credentials that are cached and being used by some applications.
    • Applications: numerous applications either cache the users’ credentials or have credentials explicitly defined in their configuration.
    • Windows Services: Windows services by default are configured to start using the local system account, however, windows services can be configured to use a specific account, typically referred to as service accounts.
    • Scheduled Tasks: the windows task scheduler requires credentials for any task that is configured to run whether or not a user is logged on to the computer, specific tasks may be configured to use domain credentials.
    • Persistent drive mapping: drive mappings can be configured to use alternate credentials to connect to a shared resource.
    • Stored usernames and passwords: windows can store username and passwords for remote resources, these credentials can be viewed in the credential manager control panel applet.
    • Mobile Devices: mobile devices can have stored credentials for accessing remote resources such as email.
    Since it is happening on ADFS, not sure if the causes are suitable for you, and in this case, I would also suggest you post the question in ADFS forum.
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=ADFS
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 1, 2017 7:20 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 6, 2017 8:23 AM
    Moderator