locked
Accounts being Locked out, proxied via Office 365 RRS feed

  • Question

  • Hello,

    We are Office 365 federated using ADFS. We are having accounts being locked out every few minutes on our DCs. When traced back, it was coming from ADFS via the WAP proxy. Upon researching event 512 on the ADFS server, this is what we are seeing:

    The account for the following user is locked out.  A login attempt is being allowed due to the system configuration. 

    Additional Data 

    Activity ID: 00000000-0000-0000-0000-000000000000 

    User: 
    <user>@<domain>.com

    Client IP: 
    157.119.234.21,132.245.71.125 

    Bad Password Count: 

    nLast Bad Password Attempt: 
    1/21/2017

    Based on this, it appears that the source IP is from Asia (157.119.234.21) being proxied by Microsoft (132.245.71.125). We are at a loss of how to stop this as we cant block the Microsoft IPs form accessing WAP for ADFS authentication. Any help would be greatly appreciated.

    Sunday, January 22, 2017 1:43 AM

All replies

  • Hi Dwclarknu,

    Below setup\options might help

    Also the ADFS Account Lockout Threshold should be less than the Local DC Account Lockout Threshold.

    AD FS extranet lockout functions independently from the AD lockout policies. However, it can be used together with AD lockout policy. We strongly recommend that you set the ExtranetLockoutThreshold parameter value to a value that is less than the AD account lockout threshold.

    • Limiting Access to Office 365 Services Based on the Location of the client
      https://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx

    References:

    https://technet.microsoft.com/en-us/library/dn486806(v=ws.11).aspx

    https://blogs.technet.microsoft.com/rmilne/2014/05/05/enabling-adfs-2012-r2-extranet-lockout-protection/

    https://blogs.msdn.microsoft.com/luzhao1/2015/06/24/demystify-extranet-lockout-feature-in-ad-fs-3-0/


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Sunday, January 22, 2017 1:44 PM
  • Hi Dwclarknu,

    Satyajit is right, extranet lockout is the only inbuilt feature that can help with this problem. Be aware though that enabling extranet lockout creates a critical dependency on the PDC in your Domain. If the PDC is not available, external authentications will fail. If you have a small environment, that might be ok.

    If you do not have a small environment, that ClientIP is passed in the HTTP header of the HTTP get request, if you have a reverse proxy capable of SSL offload and doing fancy things with HTTP requests. You can block the request by setting up a rule to look for and block requests with the offending IP in the header.

    Good Luck!

    Shane

    Monday, January 23, 2017 2:28 AM
  • We are also having this issue and did the extranet lockout feature. Do you have more information on how to block the IP via the header?
    Thursday, January 26, 2017 1:45 PM