Home

ADFS - Unable to log on with UPN

%3CLINGO-SUB%20id%3D%22lingo-sub-290335%22%20slang%3D%22en-US%22%3EADFS%20-%20Unable%20to%20log%20on%20with%20UPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290335%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20our%20development%20environment%20we%20have%20ADFS%203.0%20servers%20authenticating%20federated%20users.%20Recently%2C%20users%20have%20been%20unable%20to%20log%20on%20using%20their%20UPN.%20SamAaccountName%20works%20without%20issue.%20For%20information%20the%20domain%20and%20upn%20set%20up%20is%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20internal%20domain%20is%20childdomain.root.int.ac.uk%3C%2FP%3E%3CP%3EUsers%20exist%20in%20the%20child%20domain%20%22%3CSPAN%3Echilddomain.root.int.ac.uk%22%20but%20have%20a%20their%20UPN%20changed%20to%20username%40int.ac.uk.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhen%20signing%20into%20Office%20365%20or%20via%20ADFS%20theya%20re%20able%20to%20use%20their%20samaccountname%20but%20using%20the%20UPN%20gives%20an%20incorrect%26nbsp%3Busername%20or%20password%20error.%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20see%20the%20following%20error%20in%20the%20ADFS%20logs%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EToken%20validation%20failed.%3C%2FP%3E%3CP%3EAdditional%20Data%3C%2FP%3E%3CP%3EToken%20Type%3A%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2006%2F05%2Fidentitymodel%2Ftokens%2FUserName%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fws%2F2006%2F05%2Fidentitymodel%2Ftokens%2FUserName%3C%2FA%3E%3CBR%20%2F%3E%25Error%20message%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EIf%20they%20attempt%20to%20use%20the%20ADFS%20password%20change%26nbsp%3Bpage%20I%20see%20the%20following%26nbsp%3Berror%20in%20the%20logs%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPassword%20change%20failed%20for%20following%20user%3A%3C%2FP%3E%3CP%3EAdditional%20Data%3C%2FP%3E%3CP%3EUser%3A%3CBR%20%2F%3Eu1234560%3CSPAN%3E%40int.ac.uk.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EDevice%20Certificate%3A%3C%2FP%3E%3CP%3EServer%20on%20which%20password%20change%20was%20attempted%3A%3CBR%20%2F%3EError%20details%3A%3CBR%20%2F%3EUserNotFound%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%20what%20might%20be%20causing%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-290335%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eadfs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUPN%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290700%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20-%20Unable%20to%20log%20on%20with%20UPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290700%22%20slang%3D%22en-US%22%3E%3CP%3ERight%2C%20seems%20I've%20misunderstood%20the%20issue%20then.%20Your%20first%20post%20listed%20an%20%22token%20validation%20error%22%20event%2C%20which%20is%20generally%20generated%20*after*%20the%20user%20has%20successfully%20logon%20to%20the%20AD%20FS%20server.%20If%20the%20user%20is%20not%20even%20able%20to%20pass%20the%20login%20prompt%2C%20I'd%20suggest%20checking%20the%20event%20logs%20for%20any%204625%2F4624%20entries%20related%20to%20that%20user%20and%20more%20specifically%20looking%20at%20the%20netlogon%26nbsp%3Berror%20(%22status%22)%20therein.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290641%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20-%20Unable%20to%20log%20on%20with%20UPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290641%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20elaborate%20a%20little%20Vasil%3F%20The%20authentication%20fails%20completely%20and%20claims%20are%20not%20released.%20The%20ADFS%20forms%20authentication%20page%20just%20rejects%20the%20password%20unless%20you%20use%20the%20samaccountname%20format.%26nbsp%3B%20our%20production%20environment%20is%20essentially%20the%20same%20and%20we%20dont%20have%20a%20similar%20issue%20so%20its%20quite%20puzzling.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-290438%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20-%20Unable%20to%20log%20on%20with%20UPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-290438%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20most%20likely%20need%20to%20adjust%20the%20claims%20rules%20to%20pick%20up%20the%20changed%20UPN%20format.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-735243%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%20-%20Unable%20to%20log%20on%20with%20UPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-735243%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F194334%22%20target%3D%22_blank%22%3E%40David%20McAllister%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20David%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDId%20you%20come%20right%20here%3F%20I%20saw%20something%20similar%20many%20years%20ago..%20You%20might%20need%20to%20alter%20the%20claims%20to%20support%20the%20multiple%20UPN%20suffixes.%20Did%20you%20set%20up%20the%20ADFS%20with%20the%20AADConnect%20wizard%3F%20I'm%20assuming%20the%20new%20UPN%20name%20space%20is%20federated%20and%20you%20are%20using%20it%20for%20Azure%2FO365%3C%2FP%3E%3C%2FLINGO-BODY%3E
David McAllister
Occasional Contributor

Hi All,

 

In our development environment we have ADFS 3.0 servers authenticating federated users. Recently, users have been unable to log on using their UPN. SamAaccountName works without issue. For information the domain and upn set up is as follows:

 

The internal domain is childdomain.root.int.ac.uk

Users exist in the child domain "childdomain.root.int.ac.uk" but have a their UPN changed to username@int.ac.uk.

 

When signing into Office 365 or via ADFS theya re able to use their samaccountname but using the UPN gives an incorrect username or password error.

 

We see the following error in the ADFS logs:

Token validation failed.

Additional Data

Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:

 

 

 

If they attempt to use the ADFS password change page I see the following error in the logs:

 

Password change failed for following user:

Additional Data

User:
u1234560@int.ac.uk.

Device Certificate:

Server on which password change was attempted:
Error details:
UserNotFound

 

Any ideas what might be causing this?

 

 

 

 

 

 

4 Replies

You most likely need to adjust the claims rules to pick up the changed UPN format.

Highlighted

Can you elaborate a little Vasil? The authentication fails completely and claims are not released. The ADFS forms authentication page just rejects the password unless you use the samaccountname format.  our production environment is essentially the same and we dont have a similar issue so its quite puzzling.

Right, seems I've misunderstood the issue then. Your first post listed an "token validation error" event, which is generally generated *after* the user has successfully logon to the AD FS server. If the user is not even able to pass the login prompt, I'd suggest checking the event logs for any 4625/4624 entries related to that user and more specifically looking at the netlogon error ("status") therein.

 

@David McAllister 

 

Hi David

 

DId you come right here? I saw something similar many years ago.. You might need to alter the claims to support the multiple UPN suffixes. Did you set up the ADFS with the AADConnect wizard? I'm assuming the new UPN name space is federated and you are using it for Azure/O365

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
48 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies