This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 19%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
I have an issue that when Extranet lockout protection is enabled and I try logging in via ADFS to a trusted domain (2 way domain trust) using DOMAIN\USER format the login fails. Logins to these same trusted domains work with ESL enabled if in USER@keyman format. If I disable ESL, logins in both formats work correctly with the trusted domains.
It seems that when ESL is enabled, it tries to look up the account first in the trusted domains to see if it exists and this appears to be where it's failing. The error we receive from ADFS is "Incorrect user ID or password."
I see this in the trace logs:
DS_NAME_ERROR_NOT_FOUND
ADNameTranslator.NameTranslateWithReferral: unable to resolve name tusteddomain\User
This is on Server 2022.
The simple fix is to not use ESL, but I was hoping to have that feature enabled.
Any ideas? Thanks
What is the full error message? You should see an error code at the very end. The format is usually:
ADNameTranslator.NameTranslateWithReferral: unable to resolve name {0} , result code {1}
Just ran another adfs trace log and reproduced the problem on our test server, I don't see an error code on any of the event log "errors".
Here are the other associated errors that happen when I try and login to trusted domain with DOMAIN\user format with ESL enabled:
Exception: System error.
Sceurity token not valid.
Exception details:
System error.
ThreatDetector.AnalyzePreAuthRequest returned Restricted. Failing request.
ThreatDetectionFramework AnalyzePreAuthRequest normalization failed, returning Block
ThreatDetectionFramework NormalizeIdentityIfNeeded: Failed with exception: System.IdentityModel.Tokens.SecurityTokenValidationException: id ---> Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: MSIS8022: Unable to find the specified user account.
MsisLocalCpUserNameSecurityTokenHandler::UpdateAuthenticationContext: Identity domain\user Failed with exception:
Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: MSIS8022: Unable to find the specified user account.
ActiveDirectoryAccountStore - Name domain\user could not be translated to DN. Account is likley non-existent
ADNameTranslator.NameTranslateWithReferral: unable to resolve name domain\user , result code DS_NAME_ERROR_NOT_FOUND
Thanks for going the extra mile to provide that data. Do you happen to have an entry int the trace with that type of message:
ADNameTranslator.NameTranslateWithReferral: InputName : {3} InputDomainHint {4} : Server : DefaultServer Result : {0} Domain : {1} nName : {2}
AD FS is calling the NetLogon function of the OS. I would also enable enabled the NetLogon verbose mode to see if it tells us more about the DC location process.
Hi, thank you for the support, it is greatly appreciated.
I searched the trace logs from when the issue was reproduced for anything with "ADNameTranslator.NameTranslateWithReferral" and only have the one event from the screenshot posted earlier. I'm unsure why my trace logs don't have that additional info.
I turned on Netlogon logging in verbose mode on the ADFS test sever and tested a "run-as" logon on the server to make sure logging was working correctly and it did log the "run-as" attempt. Then I reproduced the issue logging into ADFS with the trusted domain in trusteddomain\username format, and nothing at all gets logged in the netlogon.log file for that attempt. However, If I login to the trusted domain via ADFS with username@trusteddomain.com format it works as expected and logs me in to the trusted domain, and I see the DC location process for the trusted domain in the netlogon logs.
So it appears to me if trying in trusteddomain\username format with ESL turned on it doesn't event attempt to find the DC in the trusted domain.
Let me know your thoughts, please, and thanks again for the help.
Oh my bad. You need to change the verbosity of the trace before running it.
Run the following before enabling the trace: wevtutil sl "AD FS Tracing/Debug" /L:5
It should return all the verbose messages instead of only the info, warning and error messages. I am hoping that it will tell us where in the code the input gets erroneous or at least where it is failing. Sorry about the back and forth...
No worries at all.
Here is the additional info for the log entry with the trace verbosity change:
ADNameTranslator.NameTranslateWithReferral: InputName : trusteddomain\user InputDomainHint trusteddomain : Server : DefaultServer Result : DS_NAME_ERROR_NOT_FOUND Domain : <null> nName : <null>
Another piece of information I learned from testing:
If I use format "FQDN domain name\username" it works as expected and also gets logged as expected in netlogon.log file.
If I use format "NetBIOS domain name\username" it fails and nothing logged in netlogon.log.
So it appears the problem is with using the netbios name of the trusted domain with Extranet lockout turned on. If I turn Extranet lockout off, both formats work as expected.
The domain in question is in another forest and we have a two way trust.
When ESL is enabled, the AD FS service will look up the account in AD to check the badPwdCount attribute. This does not happen when it is off. One of the things it will do is to try to transform the user input into a distinguished name. And for some reason it fails on your environment.
I would be curious to check if DC discovery is working well. Could you test the following with the NetBIOS name of the user:
nltest /DsGetDc:CONTOSO /force /pdc
Where CONTOSO is the NetBIOS name of your domain. Does this work?
Sorry for the delay in response. So when logged into the ADFS server, if I run that command against the Netbios name of the trusted domain that I am having problems authenticating with, I get
One way I thought about to get around the error is to write code into onload.js file to detect when trusted domain\user is entered and change it to the DNS name (instead of netbios name) ad.trusteddomain.com\user format. This appears to work but doesn't explain the issue.