Home
  •  

High Number of Password Change Request Failures

Microsoft.ActiveDirectoryFederationServices.2012.R2.FederationServerHighNumberPasswordChangeRequestFailureMonitor (UnitMonitor)

High number of password change request failures

Knowledge Base article:

Summary

This monitor checks for repeated password change request failures.

If the same failure happens more than 10 times per minute, a warning alert will be raised.

If no errors occur again within 15 minutes, the health state of this monitor will change back to Green and the alert associated with it will be dismissed automatically.

Causes

Possible causes for password change failure include the following:

Resolutions

Possible resolutions for this condition include the following:

Check event log and look for User and ErrorDetails information.

If the failure is due to invalid password, contact the user to resolve this issue.

If the failure is due user account not found in Active Directory, it could be user typed the wrong user name, or the user account was removed.

If the failure is due to domain controller not available, contact domain controller administrator.

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices2012R2.FederationServer
Parent MonitorSystem.Health.SecurityState
CategorySecurityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityMatchMonitorHealth
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Windows.RepeatedEventLogTimer2StateMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
High Number of Password Change Request Failures
Password change requests failed more than 10 times within 1 minute.
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices.2012.R2.FederationServerHighNumberPasswordChangeRequestFailureMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer" ParentMonitorID="Health!System.Health.SecurityState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.RepeatedEventLogTimer2StateMonitorType" ConfirmDelivery="true">

  <Category>SecurityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices.2012.R2.FederationServerHighNumberPasswordChangeRequestFailureMonitor_AlertMessageResourceID">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>MatchMonitorHealth</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="RepeatedEventRaised" MonitorTypeStateID="RepeatedEventRaised" HealthState="Warning"/>

    <OperationalState ID="TimerEventRaised" MonitorTypeStateID="TimerEventRaised" HealthState="Success"/>

  </OperationalStates>

  <Configuration>

    <RepeatedComputerName>$Target/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</RepeatedComputerName>

    <RepeatedLogName>AD FS/Admin</RepeatedLogName>

    <RepeatedExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">407</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <RegExExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>MatchesRegularExpression</Operator>

            <Pattern>(^AD FS$)</Pattern>

          </RegExExpression>

        </Expression>

      </And>

    </RepeatedExpression>

    <Consolidator>

      <ConsolidationProperties/>

      <TimeControl>

        <WithinTimeSchedule>

          <Interval>60</Interval>

        </WithinTimeSchedule>

      </TimeControl>

      <CountingCondition>

        <Count>10</Count>

        <CountMode>OnNewItemTestOutputRestart_OnTimerSlideByOne</CountMode>

      </CountingCondition>

    </Consolidator>

    <TimerWaitInSeconds>900</TimerWaitInSeconds>

  </Configuration>

</UnitMonitor>