Active Directory Federation Services (AD FS) in Windows Server 2012 R2 is a vastly improved version of Active Directory Federation Services found in previous versions of Windows Server. One of its features, however, might prove extremely counter-productive and counter-intuitive to its feature name and normal behavior in a certain scenario.
Active Directory Federation Services (AD FS) in Windows Server 2012 R2, adds the Extranet Soft Account lockout feature. This feature combats hammering the Active Directory Federation Services installation with bad username/password combinations and, eventually, lock out user accounts.
Setting the EnableExtranetLockout property set to True for the AD FS Server enables this feature.
In an environment with multiple Domain Controllers and the Extranet Soft Account lockout feature enabled, a colleague with a newly created user account where he/she has never tried to log in with a bad password, is confronted with the following exception:
This issue occurs because the badPwdCount attribute is not replicated to the domain controller that ADFS is querying.
To fix this issue, install the August 2014 update rollup on the Windows Server 2012 R2-based AD FS Server: 2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2
To be able to install the August 2014 update Rollup, the Windows Server 2012 R2-based AD FS Server needs to be updated with the April 2014 update rollup for Windows RT 8.1, Windows 8.1 and Windows Server 2012 R2 prior.
Install the August 2014 update rollup on Windows Server 2012 R2-based Active Directory Federation Servers to prevent the above issue with the soft account lockout feature from occurring.