Today I came across a weird issue. When logging on to a Domain Controller (2008 R2) I was presented an ‘Access is denied’ error. Weirdly enough this happened after the authentication took place.
There were no related events to be found in the event viewer. Looking at the domain controller policies and running tools like dcdiag/nltest (using psexec) didn’t provide any clues either.
When there is a problem with your ADFS server(s) or your internet connection, there is no authentication possible on ADFS. Users are not able to login to their mail, use Skype For Business or Sharepoint.
When this happens, it is good to know there is an easy way to turn federation off and on again in powershell without requiring a connection to the ADFS server.
Before you start, make sure you had password sync enabled on the AAD Connect server. If not, you will have to set a new password for every user after disabling federation. Continue Reading