You may experience an account lockout issue in Microsoft Active Directory Federation Services (AD FS) on Windows Server. To troubleshoot this issue, check the following points first:
- If you have Azure Active Directory (Azure AD) Connect Health configured for AD FS servers, go to the "Use Connect Health to generate data for user login activities" section.
- If you don't have Azure Active Directory (Azure AD) Connect Health configured for AD FS servers, go to the "Collect AD FS event logs from AD FS and Web Application Proxy servers" section.
You can use Connect Health to generate data about user login activity. Connect Health produces reports about the top bad password attempts that are made on the AD FS farm.
Refer to the information in this article to analyze the list of user accounts and IPs of the bad password attempt. Then, go to "Analyze the IP and username of the accounts that are affected by bad password attempts."
After you enumerate the IP addresses and user names, identify the IPs that are for unexpected locations of access.
Are the attempts made from external unknown IPs?
- If the attempts are made from external unknown IPs, go to "Update AD FS servers with latest hotfixes."
- If the attempts are not made from external unknown IPs, go to "Make sure that credentials are updated in the service or application."
To make sure that AD FS servers have the latest functionality, apply the latest hotfixes for the AD FS and Web Application Proxy servers. Additionally, hotfix 3134222 is required on Windows Server 2012 R2 to log IP addresses in Event 411 that will be used later. Then, follow the next step.
Use Get-ADFSProperties to check whether the extranet lockout is enabled.
- If the extranet lockout isn't enabled, start these steps for the appropriate version of AD FS.
- If the extranet lockout is enabled, go to "Check extranet lockout and internal lockout thresholds."
For Windows Server 2012 R2 or newer version
Smart lockout is a new feature that will be available soon in AD FS 2016 and 2012 R2 through an update. This section will be updated with the appropriate steps for enabling smart lockout as soon as the feature is available. Then, go to "Check extranet lockout and internal lockout thresholds."
For Windows Server 2008 R2 Windows or older version
We recommend that you upgrade the AD FS servers to Windows Server 2012 R2 or Windows Server 2016. For more information, see Upgrading to AD FS in Windows Server 2016. Then, follow the steps for Windows Server 2012 R2 or newer version.
If the user account is used as a service account, the latest credentials might not be updated for the service or application. In this situation, the service might keep trying to authenticate by using the wrong credentials. This causes a lockout condition.
To resolve this issue, check the service account configuration in the service or application to make sure that the credentials are correct. If not, follow the next step.
Clear cached credentials in the application
If user credentials are cached in one of the applications, repeated authentication attempts can cause the account to become locked. To resolve this issue, clear the cached credentials in the application. Check whether the issue is resolved.