On our ADFS servers (We have 2) are getting multiple failed login attempts from a particular user. Can we trace where they are coming from? These attempts are happening every 5 Minutes. Below are the security logs for these login attempts.
Below is a table of failed login attempts and from what server. They all have the same event ID’s in event viewer 4771 & 4625
DC Name | Date | Time |
ADFS01 | 23/08/2018 | 10:49:59 |
ADFS02 | 23/08/2018 | 10:55:02 |
ADFS02 | 23/08/2018 | 11:00:17 |
ADFS02 | 23/08/2018 | 11:05:32 |
ADFS02 | 23/08/2018 | 11:10:15 |
ADFS01 | 23/08/2018 | 11:15:59 |
Unlocked affected account at 11:36 | ||
ADFS01 | 23/08/2018 | 11:36:56 |
ADFS01 | 23/08/2018 | 11:42:10 |
ADFS02 | 23/08/2018 | 11:47:25 |
Unlocked affected account at 12:03 | ||
ADFS01 | 23/08/2018 | 12:03:09 |
ADFS02 | 23/08/2018 | 12:08:23 |
ADFS01 | 23/08/2018 | 12:13:37 |
Below are the event ID 4771 and 4625 logs
Audit Failure - Event ID 4771
Kerberos pre-authentication failed.
Account Information:
Security ID: Domain\Account Trying to Login
Account Name: Account Trying to Login
Service Information:
Service Name: krbtgt/****************************************
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Audit Failure - Event ID 4625
An account failed to log on.
Subject:
Security ID: *****\ADFS Account
Account Name: ADFS Account
Account Domain: *********
Logon ID: 0x167BB
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ******@****** (Account Trying to Login)
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x5f8(This is the adfssrv proces)
Caller Process Name: C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe
Network Information:
Workstation Name: Server logs have come from
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: W
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Now looking in the ADFS event viewer it has the Event ID 342 at the same time as the failed login attempts
Token validation failed.
Additional Data
Token Type:
(Omitted due to unable to submit link)
%Error message:
AccountTrying to login -The user name or password is incorrect
Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException:AccountTrying to login ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
As the login attempts are coming from the ADFS server, I assumed they are coming from Azure however when looking at this users sign in attempts on the Azure portal there are no failed attempts.
So how can a trace where these login attempts are coming from? Bearing in mind that according to the event log, they are coming from the ADFS server. How can I find out what is attempting to login to the affected account through the ADFS server.
Thanks,
Sean