Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

Trouble shoot account lockout in ADFS

Active Directory Federation services helps users sign in seamlessly to third-party applications by authenticating themselves only once using their AD credentials. Hence an account lockout would mean that the user is locked out of all their accounts. Now the account might have been locked out because the user simply forgot their password, but it could also mean a brute force attack on the user account. To troubleshoot it, the admin has to go through all the logs in the Event Viewer connected with ADFS and failed logons to inspect the failed attempts.

ADAudit Plus, an Active Directory auditing and reporting tool, is useful here because it has a special section dedicated to ADFS and the associated logons. These are over 200 pre-packaged auditing reports that are available for instant generation in ADAudit Plus. Apart from that, it can also alert admins in real-time in case of any unexpected change in the network.

Here is a comparison between troubleshooting AD FS using native AD tools and ADAudit Plus. Enabling Audit Policy is the first step and that is common to both the methods.

Download for Free
Free, fully functional 30-day trial

  • With Native AD Auditing

  • With ADAudit Plus

  • Step 1: Enable Audit Policy

  • Open Server Manager on your Windows server.

  • Under the Manage tab,click on Group Policy Management to open the Group Policy Management Console.

  • Navigate to Forest >Domain >Your Domain >Domain Controllers.

  • You can choose to either edit an existing group policy object or create a new one.

  • In the Group Policy Editor, navigate to Computer Configuration >Windows Settings >Security Settings >Advanced Audit Policy Configuration.

  • Expand the node and navigate to Audit Policy >Object Access and then configure Audit Application Generated. Enable it for both 'Success' and 'Failure'.

  • Step 2: Configure auditing for ADFS in the ADFS Management snap-in

  • To open ADFS Management snap-in, navigate to Programs >Administrative Tools > ADFS Management

  • Click on Actions and then select Edit Federation Service Properties.

  • In the dialog box that opens, click on the Events tab. Enable it for Success and Failure.

  • In ADAudit Plus

    • ADAudit Plus generates comprehensive reports by collecting and processing information from various sources in Active Directory. The ADFS reports in ADAudit Plus give information on logon failures, logon successes and Extranet lockouts.

    To troubleshoot ADFS account lockouts, open ADAudit Plus console and navigate to Reports >ADFS Auditing >Logon Failure Account lockouts happen after repeated logon failures. So this report would be the key to identifying the reason for the account lockout. Here is a sample report:

  • how-to-troubleshoot-account-lockouts-in-adf-2
  • Step 1: Enable Audit Policy

  • Open Server Manager on your Windows server.

  • Under the Manage tab,click on Group Policy Management to open the Group Policy Management Console.

  • Navigate to Forest >Domain >Your Domain >Domain Controllers.

  • You can choose to either edit an existing group policy object or create a new one.

  • In the Group Policy Editor, navigate to Computer Configuration >Windows Settings >Security Settings >Advanced Audit Policy Configuration.

  • Expand the node and navigate to Audit Policy >Object Access and then configure Audit Application Generated. Enable it for both 'Success' and 'Failure'.

    how-to-troubleshoot-account-lockouts-in-adf-1

    • [Highlight policies, windows settings, security settings, Advanced audit policy, audit policy, object access and audit application generated]

  • Step 2: Configure auditing for ADFS in the ADFS Management snap-in

  • To open ADFS Management snap-in, navigate to Programs >Administrative Tools > ADFS Management

  • Click on Actions and then select Edit Federation Service Properties.

  • In the dialog box that opens, click on the Events tab. Enable it for Success and Failure.

  • In native AD
  • Use Windows Event Viewer to troubleshoot account lockouts in AD FS

    • Windows Event Viewer records all the events connected to the objects in Active Directory for which auditing has been enabled. The events are recorded with unique event IDs. For AD FS, there are two kinds of logs that need to be inspected - the Admin log and the Trace log.

    To view the admin log, open Event Viewer and navigate to Applications and Services logs > ADFS > Admin. To view the trace log events, open Event Viewer and navigate to Windows logs > Security to find all the security events listed in the center pane. Look for events ID 4625 (account failed to logon), 1203 (Fresh credential validation error) to find the reason for account lockouts.

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request 1-on-1 demo

  •  
  •  
  •  
  •  
  •  
  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Thanks

One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote
Email Download Link