For us, for now, this has completely removed the issues we were having with illigitimate failed login attempts and account lockouts.We ran into only the one issue mentioned above with the accounts that had no policy assigned and then the global policy being applied
It is the second time that you suggest this tool to track down ADFS lockout accounts. Looking at the online specs, it does not look like it can help at all with ADFS lockouts since those will always look like they are coming from the ADFS servers. The article mentioned by Shane gives some hints to track them down looking at ADFS events and not ADDS events. Please ensure your tool does that before suggesting it on the public forum.
Authentications failures with Office 365 ADFS accounts lockouts and Extranet Lockout protection
I know this is an old thread, but it is one of the first I encountered when addressing this issue. After moving some users to Office365, we started getting a lot of account lockouts that originated with our adfs server. The event id 411 with "Activity ID: 00000000-0000-0000-0000-000000000000" represents a client using legacy authentication, think pre-Office 2013 with the May 2017 update.
For three days we're now struggling with user accounts which are being constatnly tried with bad password and subsequently locked out and the ADFS servers show as the source. We're using ADFS farm with 2x ADFS and 2x WAP servers. I've turned up all ADFS logs, tried to rule out brute force attack, but we cannot determine what is causing the lockouts. 2ff7e9595c
Comments