locked
Account lockout shows ADFS as the source RRS feed

  • Question

  • Hi Experts,

    How do we identify when object lockout source is showing as ADFS server. We are using ADFS 2.0

    I followed below article and enabled the auditing which is mentioned but still i could not see any EventID411

    https://blogs.technet.microsoft.com/pie/2016/02/02/ad-fun-services-track-down-the-source-of-adfs-lockouts/


    Regards, Nidhin.CK

    Thursday, June 2, 2016 10:38 PM

Answers

  • Maybe it is tome to upgrade the version of ADFS to beneficiate from the new audit capabilities if it is really a blocker. The upgrade is quite fast/simple/safe: https://technet.microsoft.com/en-us/library/dn486815(v=ws.11).aspx

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Nidhin CK Monday, March 13, 2017 9:31 AM
    Friday, March 3, 2017 3:15 PM

All replies

  • I have never tried this (what I described in the blog post you mentioned) on ADFS 2.x.

    I would have assumed that it would have worked the same way (minus the Extranet Lockout feature which is only for Windows Server 2012 R2). What event do you see in the security event logs once you have enable the audit and when you have a failed logon?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, June 6, 2016 2:08 PM
  • Hi Pierre,

    I could see only Event ID 4625 but no 411 


    An account failed to log on.

    Subject:
    Security ID: Domain\ADFSServiceAccount
    Account Name: ADFSServiceAccount
    Account Domain: Domain
    Logon ID: 0xa8215

    Logon Type: 8

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: nidhinck@Domain.com
    Account Domain:

    Failure Information:
    Failure Reason: Account locked out.
    Status: 0xc0000234
    Sub Status: 0x0

    Process Information:
    Caller Process ID: 0x544
    Caller Process Name: C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.ServiceHost.exe

    Network Information:
    Workstation Name: ABC833
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0



    Regards, Nidhin.CK

    Monday, June 6, 2016 3:17 PM
  • Nidhin, did you get this resolved. I am facing the same issue, our user AD accounts are getting locked out and we see the source as ADFS servers.  Please let me know how you got this resolved.
    Wednesday, March 1, 2017 12:56 AM
  • No. Im still struggling with this issue 

    Regards, Nidhin.CK

    Thursday, March 2, 2017 3:56 PM
  • Maybe it is tome to upgrade the version of ADFS to beneficiate from the new audit capabilities if it is really a blocker. The upgrade is quite fast/simple/safe: https://technet.microsoft.com/en-us/library/dn486815(v=ws.11).aspx

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Nidhin CK Monday, March 13, 2017 9:31 AM
    Friday, March 3, 2017 3:15 PM
  • So could you?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, March 13, 2017 2:36 AM
  • Currently we are not planning to migrate to 3.0 as we are planning to move on to Okta. 

    Regards, Nidhin.CK

    Monday, March 13, 2017 9:31 AM
  • :) really? What was the blocker to upgrade though? The upgrade process is a parallel run with no service interruption. It is usually not a big operation like ADDS or other role upgrade. Anyhow, good luck!  

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, March 13, 2017 2:05 PM