I am researching a domain user lockdown problem that involves an ADFS.
What happens is that anytime a domain user logins into a windows 10 machine, lsass connects to ADFS to authenticate the user credentials, which in turn tires to authenticate with the user credentials against the AD. (I was able to analyze to flow above using Sysinternals' processMonitor)
I am trying to find what can causes lsass to reach out to the ADFS upon windows login.
I will appriciate any pointers on what\where to look for
