locked
Password Update Feature from ADFS (Windows Server 2012 R2) not working RRS feed

  • Question

  • Hello, this is my first time posting in the forum and I have a few questions, but first let me describe my environment first.

    I have a pair of High Availability ADFS server as a login proxy for users in my Hybrid Office 365. sometimes the user need to reset a password from ADFS portal, something like sts.hostname.com.

    Right now they cannot reset the password, because it always said "something went wrong, please contact the administrator."

    the error was recorded in error event, when i trace the log, i found out that the ADFS was still using ldap to an old DC server.

    11/07 16:11:42 [CRITICAL] [9252] NetpDcGetDcNext: _ldap._tcp.PUSAT._sites.oldserver.com.: Cannot Query DNS. 9002 0x232a
    11/07 16:11:42 [CRITICAL] [9252] NetpDcGetNameIp: oldserver.com: No data returned from DnsQuery.
    11/07 16:11:42 [MISC] [9252] NetpDcGetName: NetpDcGetNameIp for oldserver.com returned 1355
    11/07 16:11:42 [CRITICAL] [9252] NetpDcGetName: oldserver.com: IP and Netbios are both done.
    11/07 16:11:42 [MISC] [9252] DsGetDcName function returns 1355 (client PID=12268): Dom:oldserver.com Acct:(null) Flags: LDAPONLY RET_DNS 
    11/07 16:11:42 [SITE] [9252] DsrGetSiteName: Site name 'PUSAT' is old. Getting a new one from DC.

    now the problem are, the old DC server was already inactive, and it was from a different forest.
    I am quite confused, because every pointing from ADFS was already set and configured to the new forest (newserver.com) but it still try to find the old ldap server (dns, etc).
    Does anybody experience the same issue? And how to resolve that?
    Thanks you



    Tuesday, January 7, 2020 8:33 AM

All replies

  • It is not a password RESET. It is a password UPDATE. It's important because those are two very different ways to set a password :)

    The password update feature required to be enabled (in the endpoint section in the ADFS console), a restart is of the service is also required. Then the ADFS needs connectivity to the PDC of the user's domain. 

    I am not sure about the correlation with the error message you see. I'd would remove the ADFS service from the equation from now. In a command prompt on the ADFS server, can you run: 

    nltest /DsGetDc:oldserver.com /PDC

    What is the result of it?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 7, 2020 2:34 PM
  • Thank you for correcting my mistakes, yes it is password update, i often remembered it as reset, so my apologies.
    The password update feature has been enabled  (the state is set to True) and the feature was running before.

    About the command you gave me, it returned this 

    The oldserver.com was turned off as intended.

    PS C:\windows\system32\drivers\etc> nltest /DsGetDc:oldserver.com /PDC Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

    Wednesday, January 8, 2020 1:37 AM
  • Oh that's odd.

    The ADFS server computer accounts are a member of the live domain right? And so is the service account? Did you delete the trust object by the way?

    Maybe you enabled Alternate Login ID with some forest lookup on the old side? https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id#configure-alternate-logon-id

    Or have claim rules hardcoded to tackle the old directory? Can you check this too?



    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, January 8, 2020 3:05 PM
  • Sorry haven't reach the answer for these past days.

    Yes, the ADFS computer account is the member of the live domain, so does with the ADFS service account (newserver\adfsadmin)

    i dont think the feature is enabled though. Or should it be enabled?

    And about the Claim Rules, how to check it? do you have a pages to explain it?


    Thank you so much

    Monday, January 20, 2020 1:32 PM
  • It is not enabled by default.

    For the Claim Rules, you can post the output of:

    Get-ADFSRelyingPartyTrust


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, January 20, 2020 11:10 PM
  • For the Get-ADFSRelyingPartyTrust

    here is the result

    ClaimsAccepted                       : {}
    ConflictWithPublishedPolicy          : False
    EncryptClaims                        : True
    Enabled                              : True
    EncryptionCertificate                :
    Identifier                           : {https://login.microsoftonline.com/extSTS.srf, urn:federation:MicrosoftOnline}
    LastMonitoredTime                    : 1/22/2020 5:20:01 PM
    LastPublishedPolicyCheckSuccessful   : True
    LastUpdateTime                       : 1/14/2016 10:20:23 AM
    MetadataUrl                          : https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadat
                                           a.xml
    MonitoringEnabled                    : True
    Name                                 : Microsoft Office 365 Identity Platform
    NotBeforeSkew                        : 0
    EnableJWT                            : False
    AlwaysRequireAuthentication          : False
    Notes                                :
    OrganizationInfo                     :
    ImpersonationAuthorizationRules      :
    AdditionalAuthenticationRules        :
    ProxyEndpointMappings                : {}
    ProxyTrustedEndpoints                : {}
    ProtocolProfile                      : WsFed-SAML
    RequestSigningCertificate            : {}
    EncryptedNameIdRequired              : False
    SignedSamlRequestsRequired           : False
    SamlEndpoints                        : {}
    SamlResponseSignature                : AssertionOnly
    SignatureAlgorithm                   : http://www.w3.org/2000/09/xmldsig
    TokenLifetime                        : 0
    AllowedClientTypes                   : Public
    IssueOAuthRefreshTokensTo            : AllDevices
    my Organization is using Microsoft Online hybrid, and use and the ADFS is used for login into Office Online.

    Thursday, January 23, 2020 8:00 AM