User AD Accounts are getting locked out by ADFS Server.
we seeing multiple tickets users getting locked out , source of account lockouts adfs servers. have enabled debug logs couldn't find specific lockout.
the following log. please let me know cause of lockout.
token validation failed.
additional data
token type:
%error message:
rad03@xxxx.xxx.com-the user name or password incorrect
exception details:
system.identitymodel.tokens.securitytokenvalidationexception: rad03@xxxx.xxxx.com ---> system.componentmodel.win32exception: user name or password incorrect
@ microsoft.identityserver.service.tokens.lsalogonuserhelper.getlsalogonuserhandle(safehglobalhandle plogoninfo, int32 logoninfosize, safeclosehandle& tokenhandle, safelsareturnbufferhandle& profilehandle)
@ microsoft.identityserver.service.tokens.lsalogonuserhelper.getlsalogonuserinfo(safehglobalhandle plogoninfo, int32 logoninfosize, datetime& nextpasswordchange, datetime& lastpasswordchange, string authenticationtype, string issuername)
@ microsoft.identityserver.service.tokens.lsalogonuserhelper.getlsalogonuser(usernamesecuritytoken token, datetime& nextpasswordchange, datetime& lastpasswordchange, string issuername)
@ microsoft.identityserver.service.tokens.msiswindowsusernamesecuritytokenhandler.validatetokeninternal(securitytoken token)
--- end of inner exception stack trace ---
@ microsoft.identityserver.service.tokens.msiswindowsusernamesecuritytokenhandler.validatetokeninternal(securitytoken token)
@ microsoft.identityserver.service.tokens.msiswindowsusernamesecuritytokenhandler.validatetoken(securitytoken token)
system.componentmodel.win32exception (0x80004005): user name or password incorrect
@ microsoft.identityserver.service.tokens.lsalogonuserhelper.getlsalogonuserhandle(safehglobalhandle plogoninfo, int32 logoninfosize, safeclosehandle& tokenhandle, safelsareturnbufferhandle& profilehandle)
@ microsoft.identityserver.service.tokens.lsalogonuserhelper.getlsalogonuserinfo(safehglobalhandle plogoninfo, int32 logoninfosize, datetime& nextpasswordchange, datetime& lastpasswordchange, string authenticationtype, string issuername)
@ microsoft.identityserver.service.tokens.lsalogonuserhelper.getlsalogonuser(usernamesecuritytoken token, datetime& nextpasswordchange, datetime& lastpasswordchange, string issuername)
@ microsoft.identityserver.service.tokens.msiswindowsusernamesecuritytokenhandler.validatetokeninternal(securitytoken token)
generally, common causes account lockouts include:
• stale sessions: user may logged on more 1 computer, other logons may using old credentials cached , being used applications.
• applications: numerous applications either cache users’ credentials or have credentials explicitly defined in configuration.
• windows services: windows services default configured start using local system account, however, windows services can configured use specific account, typically referred service accounts.
• scheduled tasks: windows task scheduler requires credentials task configured run whether or not user logged on computer, specific tasks may configured use domain credentials.
• persistent drive mapping: drive mappings can configured use alternate credentials connect shared resource.
• stored usernames , passwords: windows can store username , passwords remote resources, these credentials can viewed in credential manager control panel applet.
• mobile devices: mobile devices can have stored credentials accessing remote resources such email.
since happening on adfs, not sure if causes suitable you, , in case, suggest post question in adfs forum.
https://social.technet.microsoft.com/forums/windowsserver/en-us/home?forum=adfs
reason why recommend posting appropriately qualified pool of respondents, , other partners read forums regularly can either share knowledge or learn interaction us. thank understanding.
best regards,
wendy
please remember mark replies answers if help.
if have feedback technet subscriber support, contact tnmff@microsoft.com.
Windows Server > Directory Services
Comments
Post a Comment