Can't sign-in through ADFS when ExtranetLockout is enabled

Ivan Doskochynskyi 21 Reputation points

I have two AD forests with two-way trust (selective authentication): and
Schemas in both forests were updated to Windows 2019 by adprep.
There are ADFS and WAP servers with Windows 2019 in (Upgraded from Windows 2012 R2 farm by
ADFS configured as:
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests,
Permission "Allowed to authenticated" on was granted for all users from
When ExtranetLockout is enabled on ADFS, users from can't sing-in using CLIENTS\username format, but can sign-in by
User receive errors 1210 and 516 in Security logs:
nBad Password Count:
nLast Bad Password Attempt:
1/1/0001 12:00:00 AM
It seems that ADFS can't find user clients\user1 or his attributes badPwdCount and badPasswordTime.

When ExtranetLockout is disabled, users from can sing-in as CLIENTS\username and also.
Users from can always sing-in in any way regardless of ExtranetLockout setting.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
954 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 9,976 Reputation points Microsoft Employee

    When using the extranet lockout policy, the ADFS server is trying to lookup the user using LDAP before the authentication. Therefore, the ADFS service account will have to be able (authorized) to make that call.

    No comments

  2. Ivan Doskochynskyi 21 Reputation points

    ADFS service account (from domain) has permission "Read all properties" for user objects in