We have a situation where part of our users only use their AD domain account for ADFS federated logon.
Problem is that, the lastLogon attribute does not update, when the user makes an ADFS logon. That in turn will conflict with the automated unused AD account deactivation process which checks the lastLogontimeStamp attribute. Because of it, users may get their AD account disabled though they are using it daily.
In a test AD, the ADFS logon updates the lastLogon attribute OK, so the problem is only in our production ADFS.
How to troubleshoot the problem and, what might be wrong with it?
Our AD is with two, WS 2008 R2 DC servers, DFL 2008 R2, and one ADFS server with WS 2008 R2.
Br, Kari