locked
Mobile Apps not working in trusted domain after ADFS Upgrade to Win 2016 RRS feed

  • Question

  • Hi,

    I have a two forests and two way selective authentication trust enabled between them. Let us say domain names are domainA and domainB.

    Recently I have migrated my my ADFS servers from Windows server 2012R2 to 2016. Post migration everything is working as it should, but mobile users in trusted domain are unable to login when they change the password or logout from any O365 app. This issue is only with O365 mobile users who are in trusted domain. When i was disabled the extranet lockout policy everything is working but as soon as I enable the same, again the service is breaking.

    All the required ports were opened between ADFS and domainB

    NLTest showing the domain details

    All the DCs are replicating as expected.

    Service account permissions are already in place(Allowed to authenticate also enabled on ADFS servers).

    Please help me to get the problem resolved.

    Note: OS version is Windows server 2016, 1607 (OS Build 14393.2848)

    //Sampath Kovuri


    • Edited by Sampath KK Thursday, March 28, 2019 4:40 PM title modified for better understanding
    Thursday, March 28, 2019 4:39 PM

Answers

  • Does the ADFS service account have the Allow to Authenticate permission on the DCs computer accounts in the target forest?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Sampath KK Friday, June 28, 2019 9:05 AM
    Sunday, March 31, 2019 10:42 PM
  • I had collected the debug logs and network trace logs and found something interesting.

    Ideally ADFS contacts the trusted domain on 389 and 88 ports however after enabling the extranet smart lockout, it will be communicated on RPC 135 along with high range ports.

    Issue was resolved after opening the RPC and high range ports from ADFS servers to trusted domain's DCs.

    • Marked as answer by Sampath KK Friday, June 28, 2019 9:05 AM
    Friday, June 28, 2019 9:05 AM

All replies

  • Does the ADFS service account have the Allow to Authenticate permission on the DCs computer accounts in the target forest?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Sampath KK Friday, June 28, 2019 9:05 AM
    Sunday, March 31, 2019 10:42 PM
  • Sorry for the late response. Yes, Allow to Authenticate permission is in place on the DCs computer accounts in the target forest.
    Thursday, April 25, 2019 2:50 PM
  • I had collected the debug logs and network trace logs and found something interesting.

    Ideally ADFS contacts the trusted domain on 389 and 88 ports however after enabling the extranet smart lockout, it will be communicated on RPC 135 along with high range ports.

    Issue was resolved after opening the RPC and high range ports from ADFS servers to trusted domain's DCs.

    • Marked as answer by Sampath KK Friday, June 28, 2019 9:05 AM
    Friday, June 28, 2019 9:05 AM
  • It seems that this behavior has changed though. 

    There was an update which changed that behavior and removed this call.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Friday, June 28, 2019 9:28 PM