ADFS Extranet Lockout Troubleshooting RRS feed

  • Question

  • Hi Folks,

    I have followed the article to assist with extranet lockout issues.


    I am seeing a strange behavior. I have auditing enabled as per the post. However, I see activity id in 516 <g class="gr_ gr_253 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="253" id="253">event</g> as

    Activity ID: 00000000-0000-0000-0000-000000000000, string of all zeros

    The following user account has been locked out due to too many bad password attempts.

    Additional Data

    Activity ID: 00000000-0000-0000-0000-000000000000


    Client IP:
    xx.xx.164.64, xx.xx.73.93
    nBad Password Count:
    nLast Bad Password Attempt:

    and then in event 403

    An HTTP request was received.

    Activity ID: 00000000-0000-0000-9047-008000000092

    Request Details:
        Date And Time: 2017-05-26 01:33:33

        Client IP: [WAP02 Server]

        HTTP Method: GET
        Url Absolute Path: /adfs/Proxy/GetConfiguration
        Query string: -
        Local Port: 443

        Local IP:  [ADFS01 Server]

        User Agent: -
        Content Length: 0
        Caller Identity: -
        Certificate Identity (if any): -
        Targeted relying party: -
        Through proxy: False

    Any suggestions what is going on here.

    Regards, Navdeep

    Friday, May 26, 2017 2:22 AM


  • The activity ID 00000000-0000-0000-0000-000000000000 is a sign that the client used a legacy endpoint (old Lync clients or ActiveSync devices for example).

    The second event is just the proxy getting its config. It does that all the time and it is not related to the lockout event.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, May 26, 2017 1:56 PM