locked
AD FS Extranet Lockout not working? RRS feed

  • Question

  • Hello

    I am trying to implement the AD FS Extranet Lockout on one of my customers and followed instructions at and ran

    Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 4 -ExtranetObservationWindow ( new-timespan -Minutes 30 ).

    Running 

    Get-AdfsProperties | fl *extranet*

    shows the command was taken the place.

    on the primary ADFS server. The internal lockout policy is set to 5 attempts.

    Then visited the ADFS authentication from an external network to make sure the authentication requests go from WAP servers and misstyped password t times. The soft lockout does not happen for some reason and it locks AD user account. The ADFS logs shows invalid login attempts but WAP servers does not seem to log anything. 

    Any ideas what could be wrong or how to troubleshoot the issue?

    Thanks in advance.



    Regards, Ilkin


    Monday, January 18, 2016 5:34 PM

Answers

  • Hi Tim,

    It sounds like the latter - you do not have a WAP. 

    Follow the traffic from the external IP that you have published to the Internet, and see where that is NAT'ed to.  if it is the IP of the AD FS server/farm then that explains the behaviour...


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 16, 2017 1:58 AM

All replies

  • Did you check the badPwdCount value of the account prior your check?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 19, 2016 9:04 PM
  • Yes it was monitored before and after lockout on a PDC emulator.

    This is the policy

    Domain policy is set to lock accounts after 5 attempts with Reset Account Lockout Threshold After 9999 minutes.

    Here is the first attempt ADSI Edit connected to PDC Emulator

    the same on the ADUC attribute editor

    Then account is locked after fifth attempt.


    Regards, Ilkin


    • Edited by Ilkin Jamalli Friday, January 29, 2016 2:25 PM added screenshots
    Thursday, January 28, 2016 1:23 PM
  • Are you 100% sure you have published the WAP server as the external ADFS endpoint?


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 22, 2016 8:44 PM
  • Hi Rhoderick,

    I think so because the ADFS servers can not be reach from outside world.
    Can you suggest a definite way of double checking this?

    Regards. Ilkin.


    Regards, Ilkin

    Wednesday, March 9, 2016 10:57 AM
  • Look at the publishing rule/device/appliance that you have to publish to the Internet.

    If it is a NAT rule, then see where it is set to NAT to.


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, March 9, 2016 12:50 PM
  • Also, how do you actually trigger the login? From the web form where you are redirected, so on the ADFS sign-in page? Or from an application?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, March 9, 2016 7:22 PM
  • Sorry for late respond. It was triggered from ADFS sign-in page

    Regards, Ilkin

    Friday, January 6, 2017 2:45 PM
  • I cannot repro your issue.

    As long as the user authenticate against the WAP and provider the U/P in the webform, the Extranet Lockout Feature does always work for me.

    We will need more details, tracing etc...

    Ensure that you are using WAP and not a replacement for it, ensure your DNS name resolution makes your client point to the public IP of the WAP (split brain DNS). Ideally try if from a external clients connected only to the internet. Make sure that the account is not also used internally by other application trying to do thing (VPN clients, WIFI etc...). You could try with a new account for example.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, January 7, 2017 6:28 PM
  • Ilkin, did this one get resolved?

    Thanks, Tim. | Please remember to mark the replies as answers if they help. |

    Monday, August 7, 2017 8:35 PM
  • Couldn't repro.

    The only potential issue we have in this case is the Observation Window of ADFS being shorter than the Observation Window of ADDS. This lead to "delayed" account lockout. But not with consecutive attempts like mentioned here. What is your issue? Do you see the event 516 in the logs? Does the event 4740 of your DC shows the ADFS server as being the source of the lockout?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, August 8, 2017 2:00 PM
  • Hi Pierre,

    Thanks for the response.

    In my test environment I'm using the below settings.

    ADFS Settings:
    4 Lockouts
    60 minute reset interval.

    Internal AD settings
    10 lockouts
    9999 minute reset interval

    Noticed that Ilkin and I both have 9999 as our internal lockout, you mentioned above that it could be a delayed lockout. How long is the potential delay?

    I haven't actually locked myself out yet to check 4740. I watched the ADFS and internal PDC Emulator bad password count increment together up to 8. I will lock myself out today and let you know about the 4740 error.

    Thanks again for the response on an older question.

    Regards, Tim.


    Thanks, Tim. | Please remember to mark the replies as answers if they help. |

    Tuesday, August 8, 2017 10:19 PM
  • And you ae 100% sure traffic is hitting the WAP server and NOT AD FS ???

    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 9, 2017 1:54 PM
  • First look for the event 516 on ADFS.

    It will tell you if there is any throttling happening. And as Rhoderick mentions, you have to use the WAP, if no WAP, no 516 and no Extranet Lockout Policy.

    For the delay lockout, here is an example:

    1. 00:00:00 1st auth failed attempt. badPwdCount = 1
    2. 00:00:01 2nd auth failed attempt. badPwdCount = 2
    3. 00:00:04 3rd auth failed attempt. badPwdCount = 3
    4. 00:00:06 4th auth failed attempt. badPwdCount = 4

    At this stage you will see an event 516. The attempt are throttled on the WAP for 60 minutes (your observation window in ADFS).

    5. 00:00:10 5th auth failed attempt. badPwdCount = 4 (attempt has been blocked on ADFS)
    6. 00:01:00 6th auth failed attempt. badPwdCount = 4 (attempt has been blocked on ADFS)
    7. 01:00:08 7th auth failed attempt. badPwdCount = 5 (attempt has NOT been blocked because the observation window has passed) the account is locked-out on prem


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 9, 2017 2:57 PM
  • Thanks for the replies. I'm out of the office for a few days. Will get back to you next week when I'm back in.
    Thanks again for your time.
    Regards, Tim.

    Thanks, Tim. | Please remember to mark the replies as answers if they help. |

    Friday, August 11, 2017 12:16 PM
  • Hi Rhoderick, thanks for the reply and thanks for your article (https://blogs.technet.microsoft.com/rmilne/2014/05/05/enabling-adfs-2012-r2-extranet-lockout-protection/)

    This is where I'm a bit confused. We have an application proxy connector setup on a server. We also have our DCs. When I check for the Web Application Proxy Role, it isn't installed anywhere I think it should be.

    Also, the PowerShell module for set-adfsproperties exists on the DCs. These DCs are where I'm seeing the bad password count increasing. 

    I feel like I'm missing a key component and not sure where that is. Or, we're not using a Web Application Proxy at all.

    Thanks again.
    Regards, Tim.


    Thanks, Tim. | Please remember to mark the replies as answers if they help. |

    Wednesday, August 16, 2017 12:20 AM
  • Hi Tim,

    It sounds like the latter - you do not have a WAP. 

    Follow the traffic from the external IP that you have published to the Internet, and see where that is NAT'ed to.  if it is the IP of the AD FS server/farm then that explains the behaviour...


    Cheers,

    Rhoderick

    Microsoft Senior Exchange PFE

    Blog: http://blogs.technet.com/rmilne  Twitter:   LinkedIn:   Facebook:   XING:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, August 16, 2017 1:58 AM
  • Thanks Rhoderick. Yep that looks to be the case.


    Thanks Pierre and Rhoderick for your help. :)


    Thanks, Tim. | Please remember to mark the replies as answers if they help. |

    Wednesday, August 16, 2017 11:25 PM