none
Delay when logging into azure AD based services

    Question

  • Hi all,

             Company with 5 AD sites, DC's located in two of them and two DC's located in Azure.

    Two ADFS servers are also located in azure.

    Change based replication is enabled - and all visable attirbutes we can edit (e.g. phone number) see to replicate immediately.

    We have an issue where after a users password is reset, they can logon to machine immediately.... but if they try and access services that use AAD (e.g. exchange online) they mjust wait approx 15 minutes.

    This would tend to indicate that ADFS is not checking with the PDCe before denying the logon attempt... however, i'm happy to take advice on this.

    Any suggestions ?

    Monday, April 24, 2017 7:18 AM

All replies

  • When there is an invalid password, the DC passes the authentication back to the PDC Emulator because it’s going to have a copy of the latest password. If this is not the case then I would advise to check first that your DCs are in healthy state using dcdiag. Also, make sure that traffic between your DCs in Azure and the PDC is allowed in both ways and not filtered. You can use PortQryUI to check.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Monday, April 24, 2017 11:11 PM
  • Hey mate,

                      Yep, DCdiag is all good.

    I hadn't checked the ports for the azure boxes - so that's a good point. I had just assumed that since DCDiag was ok, that the ports were fine.

    I will check that when im back on site.

    Sunday, April 30, 2017 10:14 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 3, 2017 7:15 AM
    Moderator