This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 35%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
A 2016 farm has been upgraded following the steps captured here https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server. While we had a mix of 2016 and 2019 servers and FL was at 2016 no login issue was reported. Soon as 2016 servers were removed and FL raised to 2019 login failure were reported. with event 342 (followed by event 1000 and 264) in AD FS Admin log. here is the error from the AD FS Admin log
Token validation failed.
Additional Data
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
userfirstname.userlastnames@keyman .com-Logon failure: the user has not been granted the requested logon type at this computer
When we add the user to local admin group (for testing only) user login to O365 succeeds as normal. Adding the user to "Allow logon locally" does NOT have the same affect.
These should be network logons, not local logons.
Make sure Everyone or Authenticated Users is listed under the Access this computer from the network security setting on the machine.
Thanks Pierre, I've opened a call with MS and collected a network trace for them while the login failure was happening. It seems that RC4 was removed from supported ETYPE on 2019 servers and trace is showing the following, I will check the server for the settings you have noted above and will leave an update here soon as I have a chance.
[KERBEROS] kerbtick_cxx5021 __KerbGetTgsTicket() - KerbGetTgsTicket KerbCallKdc: error 0xe
[KERBEROS] kerbtick_cxx7153 KerbGetServiceTicketInternal() - Failed to get TGS ticket for service 0xc00002fd
0xe 14 KDC_ERR_ETYPE_NOTSUPP 14 KDC has no support for encryption type kerberr.h
Pierre,
Yes, not checking that user right was like not checking the cables in old days. :-)
However, our issue was two folds,
On internal network where users have a Kerberos ticket, connection failure was cleared by adding "Authenticated Users" as suggested by you. I've accepted that as an answer.
From External network, failure continued (credential prompt loop with NO error recorded anywhere) until we did the following
1-On ADFS service account ID we adjusted msds-supportedencryptiontypes from NULL to 24 that covers AES ETYPE
2-Reset the ADFS service account password
3-Restarted ADFS service on Internal ADFS servers after entering the new password
Above steps were recommended as 2019 servers NO longer have RC4 in their gold image and Get-ServicePrincipalNames cmlt reported the following
Kerberos Encryption Types supported by Service Account:
msds-supportedencryptiontypes is not configured on the service account, Service tickets would be RC4 only!
Thanks for quick and useful response as always.