Event ID 52 unknown user name or bad password RRS feed

  • Question

  • Hi,

    We have a few users that get frequently locked out of their accounts.

    There is no source IP in the ADFS log to troubleshoot

    - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

    - <System>
      <Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
      <TimeCreated SystemTime="2018-10-19T00:48:57.080935300Z" />
      <Correlation />
      <Execution ProcessID="3368" ThreadID="3548" ProcessorID="1" KernelTime="7" UserTime="67" />
      <Channel>AD FS 2.0 Tracing/Debug</Channel>
      <Security UserID="S-1-5-21-842925246-1708537768-1343024091-23093" />
    - <UserData>
    - <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>MSISWindowsUserNameSecurityTokenHandler.ValidateToken: Incoming security token failed validation . ID4063: LogonUser failed for the 'fakeemail@company.com' user. Ensure that the user has a valid Windows account.-Logon failure: unknown user name or bad password</EventData>

    Security log just points to the ADFS server

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    - <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <TimeCreated SystemTime="2018-10-19T02:40:17.069135300Z" />
      <Correlation />
      <Execution ProcessID="552" ThreadID="3556" />
      <Security />
    - <EventData>
      <Data Name="SubjectUserSid">S-1-5-21-842925246-1708537768-1343024091-23093</Data>
      <Data Name="SubjectUserName">adfs.services</Data>
      <Data Name="SubjectDomainName">FAKEDOMAIN</Data>
      <Data Name="SubjectLogonId">0x4629177c</Data>
      <Data Name="TargetUserSid">S-1-0-0</Data>
      <Data Name="TargetUserName">fakeemail@company.com</Data>
      <Data Name="TargetDomainName" />
      <Data Name="Status">0xc000006d</Data>
      <Data Name="FailureReason">%%2313</Data>
      <Data Name="SubStatus">0xc000006a</Data>
      <Data Name="LogonType">8</Data>
      <Data Name="LogonProcessName">Advapi</Data>
      <Data Name="AuthenticationPackageName">Negotiate</Data>
      <Data Name="WorkstationName">AP23ADC01</Data>
      <Data Name="TransmittedServices">-</Data>
      <Data Name="LmPackageName">-</Data>
      <Data Name="KeyLength">0</Data>
      <Data Name="ProcessId">0xd28</Data>
      <Data Name="ProcessName">C:\Program Files\Active Directory Federation Services 2.0\Microsoft.IdentityServer.ServiceHost.exe</Data>
      <Data Name="IpAddress">-</Data>
      <Data Name="IpPort">-</Data>

    We are running ADFS 2.0 on Windows server 2008 R2.

    How do I find the source of these lockouts?? There is not much information in the ADFS trace log or the security log...

    Friday, October 19, 2018 2:49 AM


  • Upgrade to at least Windows Server 2012 R2 as 1. I mean we are in 2018, 2. the upgrade path is fairly easy, 3. it has protection against external lockout (even more with Windows Server 2016).

    When you have a more modern version, enable the audit logs (in Windows and in ADFS, as described here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging (not the debut logs, but the audit logs).

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Andrew_Fury Friday, October 19, 2018 1:21 PM
    Friday, October 19, 2018 1:04 PM