When ADFS Shadow Accounts are unable to unlock their ADFS Session it may be because Shadow account users do not know their Resource shadow account password, so if their session locks, they will not be able to provide a password to unlock it.
When implementing Active Directory Federated authentication, users may be authenticated in one forest domain in order to access resources located in another forest domain. When deploying Active Directory Federated Services organizations are identified as:
- Account : the organization that authenticates a user
- Resource : provides resources for a user that has been authenticated by Account
ADFS uses account mapping to map user accounts in the account organization to a shadow account located in the Resource organization. Shadow accounts are created in Active Directory in the resource
Organization, and mirror user accounts existing in the account organization. The following options are possible for account mapping:
- Map many Account users to one Resource account This minimizes the number of Resource accounts, but Password Manager is unable to determine the identity of the user and therefore is not supported in this option.
- Map one Account user to one Resource account This offers full scalability as each Account user has a dedicated shadow account at Resource
The Resource organization trusts the Account organization to authenticate its own users without the need for any domain trust relationships. It is also not necessary to enable shadow accounts for interactive logon, since they are never used for that purpose, and shadow account passwords are not known to the Account user.
To prevent Password Manager from auto locking the shadow account, applications should not be flagged for forced re-authentication. Also, the re-authentication timeout should be left at the default 8 hour value and not made too small to prevent the agent from locking the session.
