Hi Folks,
I have followed the article to assist with extranet lockout issues.
https://blogs.technet.microsoft.com/pie/2016/02/02/ad-fun-services-track-down-the-source-of-adfs-lockouts/
I am seeing a strange behavior. I have auditing enabled as per the post. However, I see activity id in 516 <g class="gr_ gr_253 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="253" id="253">event</g>
as
Activity ID: 00000000-0000-0000-0000-000000000000, string of all zeros
The following user account has been locked out due to too many bad password attempts.
Additional Data
Activity ID: 00000000-0000-0000-0000-000000000000
User:
username@domain.com
Client IP:
xx.xx.164.64, xx.xx.73.93
nBad Password Count:
2
nLast Bad Password Attempt:
26/05/2017
and then in event 403
An HTTP request was received.
Activity ID: 00000000-0000-0000-9047-008000000092
Request Details:
Date And Time: 2017-05-26 01:33:33
Client IP: 172.17.7.12 [WAP02 Server]
HTTP Method: GET
Url Absolute Path: /adfs/Proxy/GetConfiguration
Query string: -
Local Port: 443
Local IP: 172.17.1.35 [ADFS01 Server]
User Agent: -
Content Length: 0
Caller Identity: -
Certificate Identity (if any): -
Targeted relying party: -
Through proxy: False
Any suggestions what is going on here.
Regards, Navdeep
