KnowledgeBase: ADFS authentication issue for Active Directory users when extranet lockout is enabled

Reading Time: 2 minutes

Active Directory Federation Services (AD FS) in Windows Server 2012 R2 is a vastly improved version of Active Directory Federation Services found in previous versions of Windows Server. One of its features, however, might prove extremely counter-productive and counter-intuitive to its feature name and normal behavior in a certain scenario.

  

The situation

Active Directory Federation Services (AD FS) in Windows Server 2012 R2, adds the Extranet Soft Account lockout feature. This feature combats hammering the Active Directory Federation Services installation with bad username/password combinations and, eventually, lock out user accounts.

Setting the EnableExtranetLockout property set to True for the AD FS Server enables this feature.

 

The issue

In an environment with multiple Domain Controllers and the Extranet Soft Account lockout feature enabled, a colleague with a newly created user account where he/she has never tried to log in with a bad password, is confronted with the following exception:

Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException

This issue occurs because the badPwdCount attribute is not replicated to the domain controller that ADFS is querying.  

 

The solution

To fix this issue, install the August 2014 update rollup on the Windows Server 2012 R2-based AD FS Server: 2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Note:
To be able to install the August 2014 update Rollup, the Windows Server 2012 R2-based AD FS Server needs to be updated with the April 2014 update rollup for Windows RT 8.1, Windows 8.1 and Windows Server 2012 R2 prior.

  

Concluding

Install the August 2014 update rollup on Windows Server 2012 R2-based Active Directory Federation Servers to prevent the above issue with the soft account lockout feature from occurring.

Related KnowledgeBase Articles

2971171 ADFS authentication issue for Active Directory users when extranet lockout is enabled 
2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

Posted on September 23, 2014 by Sander Berkouwer in Active Directory Federation Services, KnowledgeBase Articles

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.