ADFS: Some Users Cannot Sign-In
I have a new ADFS implementation running on Server 2019. After setup, I tested authentication for various user accounts using the /adfs/ls/IdpInitiatedSignon.aspx. Most of the account I tested worked fine with no issues. There are a few accounts, however, that exhibit the following behavior:
- Signing in with a wrong username/password results in an error message indicating the username/password is incorrect. This is expected and desirable.
- Signing in with correct username/password results in a page refresh, displaying the sign-in form again. There is no error message. I'll call this the "refresh sign-in".
In the Security event log on the ADFS server, I see the following three events related to the "refresh sign-in":
- Event 4648 - A logon was attempted using explicit credentials.
- Event 4624 - An account was successfully logged on.
- Event 4625 - An account failed to log on (Failure reason: Unknown user name or bad password)
A few pieces of info:
- ADFS is configured to use a group managed service account called FsGmsa. It is a member of the Windows Authorization Access Group.
- "Forms" and "Microsoft Passport Authentication" is enabled as the primary authentication methods. I will eventually add Azure MFA.
- All tests have been ran in the intranet.
- All certificates are valid and haven't expired.
- I get the same results for the same users, regardless of what computer/device used.
- I cannot find any similarities or differences between the accounts that work and the accounts that don't.
The Windows Authorization Access Group did not have authority to read the tokenGroupsGlobalAndUniversal property on the accounts in question. Theses are the steps I took to fix the issue:
- Open Active Directory Users and Computers
- Go to the View menu and make sure the Advanced Features option is checked.
- Open the Properties for the desired user account.
- Click the Security tab.
- Click the Advanced button.
- Look for an Allow entry for the "Windows Authorization Access Group" principal.
- If there is an entry, click the Edit button.
- If there is not an entry, click the "Add" button.
- The top section of the Permission Entry should be the following:
- Principal: Windows Authorization Access Group
- Type: Allow
- Applies to: This object only
- If this is a new entry, scroll all the way to the bottom of the window and click the Clear all button.
- Add a check to the Read tokenGroupsGlobalAndUniversal property. It is close to the bottom of the list.
- Click OK to close the Permission Entry window.
- Click OK to close the Advanced Security Settings window.
- Click OK to the account Properties window.
You will need to repeat steps 3-12 for the other accounts in question. Afterwards, test your accounts and they should sign-in without issue.