I have a new ADFS implementation running on Server 2019. After setup, I tested authentication for various user accounts using the /adfs/ls/IdpInitiatedSignon.aspx. Most of the account I tested worked fine with no issues. There are a few accounts, however, that exhibit the following behavior:
- Signing in with a wrong username/password results in an error message indicating the username/password is incorrect. This is expected and desirable.
- Signing in with correct username/password results in a page refresh, displaying the sign-in form again. There is no error message. I'll call this the "refresh sign-in".
In the Security event log on the ADFS server, I see the following three events related to the "refresh sign-in":
- Event 4648 - A logon was attempted using explicit credentials.
- Event 4624 - An account was successfully logged on.
- Event 4625 - An account failed to log on (Failure reason: Unknown user name or bad password)
A few pieces of info:
- ADFS is configured to use a group managed service account called FsGmsa. It is a member of the Windows Authorization Access Group.
- "Forms" and "Microsoft Passport Authentication" is enabled as the primary authentication methods. I will eventually add Azure MFA.
- All tests have been ran in the intranet.
- All certificates are valid and haven't expired.
- I get the same results for the same users, regardless of what computer/device used.
- I cannot find any similarities or differences between the accounts that work and the accounts that don't.
The Windows Authorization Access Group did not have authority to read the tokenGroupsGlobalAndUniversal property on the accounts in question. Theses are the steps I took to fix the issue:
You will need to repeat steps 3-12 for the other accounts in question. Afterwards, test your accounts and they should sign-in without issue.