If you’ve enabled Active Directory Synchronization and have synchronized but your users can’t log in, there are several potential causes, as described below.
Windows Authentication
Windows Authentication may not be enabled in IIS. You may see the following error screen when attempting to log in.
To resolve this:
- Open IIS Manager
- Expand the left column and click on Default Web Site
- Double click on Authentication
- Click Windows Authentication
- Click Enable
Unsuccessful Synchronization
The synchronization may not have been successful and the user may not exist in the Intranet.
To resolve this:
- In the Intranet, go to Admin > Security > Find Logins
- Search for the username with Disabled Logins checked
- Did you find the user? If a user is found, you can correct it.
- Disable AD Synchronization in Admin > Security > AD Synchronization
- Find the user with the same username as above
- Change the username and email address
- (you may need to enable the user temporarily to complete this)
- After that’s been saved, ensure the user is disabled and re-enable AD Synchronization
- Click Sync Now
- You should now be able to find the correct user.
- If the user wasn't found, check to see if any of your users were synchronized.
- If no user was synchronized, check your AD Sync connection settings are correct and Test Connection is successful.
- If one or a few weren’t synchronized, ensure they are part of one of the targets selected.
- If not a part of a target, add another target to bring the additional account(s) in.
- If part of a target but not synchronized, ensure the user has a first and last name with no additional spaces around the names and there is a valid email address and username specified in AD.
Incorrect Credentials
The credentials supplied may be incorrect. The Intranet doesn't store the credentials for Windows Authentication; they're passed to the Domain Controller specified in the settings for verification. Typically, this is following a password reset in AD.
To resolve this, Windows caches credentials, and it’s possible these need to be cleared -see the Microsoft article How to remove saved Windows Authentication.
If that doesn't work to clear the credentials and allow successful login, you may need to complete an additional step from Microsoft, as described in the LsaLookupSids function article.