locked
Disabled user account still able to login with ADFS RRS feed

  • Question

  • Hello Experts,

    We have ADFS 3.0 has been configured with SharePoint (OnPrem farm) for authentication. I came across one wired scenario where after deactivating user from AD still I am able to login with deactivated account credentials.

    To prevent this behavior is there any extra step needs to be taken while deactivating users?

    Thanks,

    Uday

    Wednesday, October 24, 2018 9:39 AM

Answers

  • Hiya,

    To add to Pierre's response. You can reduce the token lifetime on SharePoint, so that user tokens gets renewed more frequently. Just be very keen when working with these values, it can be quite hard to keep track on when you are hitting which setting.

    There is no way to invalidate a single token in SharePoint, only reduce token lifetime for everyone. (It's the same problem for SharePoint Online or OneDrive for Business. Once a user has a valid token, any changes to that user will not take effect until revalidation occurs. Wether its disabled, MFA or other security policies)

    Kind regards

    • Marked as answer by Uday G Tuesday, December 18, 2018 1:36 PM
    Monday, November 26, 2018 10:01 AM

All replies

  • You cannot obtain a token when a user has been disabled.

    Even if you already connected to ADFS and obtained a WebSSO cookie.

    The WebSSO cookie will be discarded when you try to obtain a new token for SharePoint.

    My guess is that you have a session cookie with SharePoint an THIS one is still valid. But it will not be renewable. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by Jesper Arnecke Monday, November 26, 2018 9:51 AM
    Wednesday, October 24, 2018 4:26 PM
  • Hi,

    AS said by Pierre, if the user is disabled , he can't renew his token.

    The user will still have access until the expiration of the token, after that , the SSO cookie will be invalid and the user will have access denied.


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    • Proposed as answer by Jesper Arnecke Monday, November 26, 2018 9:51 AM
    Wednesday, October 24, 2018 6:30 PM
  • Any update here?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, October 29, 2018 2:08 PM
  • Hi Pierre and Thameur,

    Thanks for the reply.

    Once the user account deactivated in the AD, the user will have an access until the expiration of the token. How I can expire the token in the AD itself after deactivate the user? Or How I can add a check to validate if User is active or inactive in the SharePoint? So that, I could forcefully redirect him on ADFS SignIn page instead allow him to access SharePoint resources until his token expires.

    Thanks

    Uday G

    Friday, November 23, 2018 6:16 AM
  • You cannot do anything at the ADFS level. Once the token was obtained by the user, the token was used to obtain a bootstrap cookie from SharePoint. This bootstrap cookie is SharePoint's property and only it can delete it. It should be valid for the validity time of the token used to obtain it (although nothing forces an application to follow this practice). By default it is 60 minutes. 

    You can reduce the life time of the token eventually but too short of a token lifetime might affect the users experience.

    SharePoint is using WS-Federation to federate with ADFS. There is no built-in mechanism to perform this verification. 

    If the user is on a domain-joined system, connected to the internal network, you might want to take other type of action to reduce the ability of the user to do something on the network. But that's neither an ADFS nor a SharePoint thing no more.

    If the user was disabled because the employee was terminated, what are the chances for this to take place in the middle of the working day (meaning that the account would be disabled before the employee is even notified of his or her termination?). Anyways, let us know what is your scenario and what are the perceived risks, maybe we can give additional guidance. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 23, 2018 1:56 PM
  • Hiya,

    To add to Pierre's response. You can reduce the token lifetime on SharePoint, so that user tokens gets renewed more frequently. Just be very keen when working with these values, it can be quite hard to keep track on when you are hitting which setting.

    There is no way to invalidate a single token in SharePoint, only reduce token lifetime for everyone. (It's the same problem for SharePoint Online or OneDrive for Business. Once a user has a valid token, any changes to that user will not take effect until revalidation occurs. Wether its disabled, MFA or other security policies)

    Kind regards

    • Marked as answer by Uday G Tuesday, December 18, 2018 1:36 PM
    Monday, November 26, 2018 10:01 AM