Can't sign-in through ADFS when ExtranetLockout is enabled

Ivan Doskochynskyi 21 Reputation points
2020-06-15T19:51:44.397+00:00

I have two AD forests with two-way trust (selective authentication): prod.com and clients.com.
Schemas in both forests were updated to Windows 2019 by adprep.
There are ADFS and WAP servers with Windows 2019 in prod.com. (Upgraded from Windows 2012 R2 farm by https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server)
ADFS configured as:
Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests prod.com,clients.com.
Permission "Allowed to authenticated" on ADFS.prod.com was granted for all users from clients.com.
When ExtranetLockout is enabled on ADFS, users from clients.com can't sing-in using CLIENTS\username format, but can sign-in by username@clients.com.
User receive errors 1210 and 516 in Security logs:
User:
clients\user1
nBad Password Count:
0
nLast Bad Password Attempt:
1/1/0001 12:00:00 AM
It seems that ADFS can't find user clients\user1 or his attributes badPwdCount and badPasswordTime.

When ExtranetLockout is disabled, users from clients.com can sing-in as CLIENTS\username and username@clients.com also.
Users from prod.com can always sing-in in any way regardless of ExtranetLockout setting.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
954 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 9,976 Reputation points Microsoft Employee
    2020-06-16T10:35:01.11+00:00

    When using the extranet lockout policy, the ADFS server is trying to lookup the user using LDAP before the authentication. Therefore, the ADFS service account will have to be able (authorized) to make that call.

    No comments

  2. Ivan Doskochynskyi 21 Reputation points
    2020-06-16T10:41:06.18+00:00

    ADFS service account (from prod.com domain) has permission "Read all properties" for user objects in clients.com