Troubleshooting account lockout in AD FS on Windows Server

Applies to: Windows Servers

You may experience an account lockout issue in Microsoft Active Directory Federation Services (AD FS) on Windows Server. To troubleshoot this issue, check the following points first:

Use Connect Health to generate data for user login activities

You can use Connect Health to generate data about user login activity. Connect Health produces reports about the top bad password attempts that are made on the AD FS farm.

Refer to the information in this article to analyze the list of user accounts and IPs of the bad password attempt. Then, go to "Analyze the IP and username of the accounts that are affected by bad password attempts."

Collect AD FS event logs from AD FS and Web Application Proxy servers

Analyze the IP and user name of the accounts that are affected by bad password attempts

After you enumerate the IP addresses and user names, identify the IPs that are for unexpected locations of access.

Are the attempts made from external unknown IPs?

Update AD FS servers with latest hotfixes

To make sure that AD FS servers have the latest functionality, apply the latest hotfixes for the AD FS and Web Application Proxy servers. Additionally, hotfix 3134222 is required on Windows Server 2012 R2 to log IP addresses in Event 411 that will be used later. Then, follow the next step.

Check whether the extranet lockout is enabled

Use Get-ADFSProperties to check whether the extranet lockout is enabled.

Steps to check the lockout status

For Windows Server 2012 R2 or newer version

Smart lockout is a new feature that will be available soon in AD FS 2016 and 2012 R2 through an update. This section will be updated with the appropriate steps for enabling smart lockout as soon as the feature is available. Then, go to "Check extranet lockout and internal lockout thresholds."

For Windows Server 2008 R2 Windows or older version

We recommend that you upgrade the AD FS servers to Windows Server 2012 R2 or Windows Server 2016. For more information, see Upgrading to AD FS in Windows Server 2016. Then, follow the steps for Windows Server 2012 R2 or newer version.

Make sure that credentials are updated in the service or application

If the user account is used as a service account, the latest credentials might not be updated for the service or application. In this situation, the service might keep trying to authenticate by using the wrong credentials. This causes a lockout condition.

To resolve this issue, check the service account configuration in the service or application to make sure that the credentials are correct. If not, follow the next step.

Clear cached credentials in the application

If user credentials are cached in one of the applications, repeated authentication attempts can cause the account to become locked. To resolve this issue, clear the cached credentials in the application. Check whether the issue is resolved.