locked
Federated Services only users - AD accounts RRS feed

  • Question

  • Hi,

    We've been using ADFS 3 for a while now, on many systems without issue. We recently started using a new SP and given AD accounts to users who do not have a PC or access to a domain device - they use a mobile device

    ADFS doesn't update the lastlogon timestamp, so accounts are auto disabled as part of a script, every 30 days, as they are technically inactive.

    How do any of you handle these accounts? Compliance say we can't leave them active, yet they need to access this third party system which is SAML or nothing.

    Limiting the accounts so all they can log into is the ADFS servers means they still work with the SP, and can't access any other  domain resource, but I'm wondering if there is a cleaner way?


    • Edited by voyco Monday, November 14, 2016 2:15 PM
    Monday, November 14, 2016 2:07 PM

Answers

  • All my tests show that the LastLogonTimestamp is updated (according to its rules, which means it is updated only if the last time it was update was more than 14 days ago).

    What type of primary authentication are you using?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Tuesday, November 15, 2016 1:25 PM

All replies

  • All my tests show that the LastLogonTimestamp is updated (according to its rules, which means it is updated only if the last time it was update was more than 14 days ago).

    What type of primary authentication are you using?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Tuesday, November 15, 2016 1:25 PM
  • Hi,

    We are using SAML, both SP and IDP Initiated.


    • Edited by voyco Thursday, November 17, 2016 12:30 PM
    Thursday, November 17, 2016 12:29 PM
  • hmm just realised it does update the lastlogon attribute if I log in via the idpinitiatedsignon URL
    • Edited by voyco Thursday, November 17, 2016 12:36 PM
    Thursday, November 17, 2016 12:33 PM
  • So what the status?

    Note that there are two attributes: lastLogon and lastLogonTimestamp. The first one is updated but not replicated the second one is replicated but it is updated only if the last time it was updated was more than 14 days ago.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, November 17, 2016 10:17 PM
  • Marked Pierre's respons as answer - many thanks. In my testing now it does indeed update the lastlogon attribute, I just had to figure out on what DC it was updating on.

    I have gone back to the apps support team who raised the initial query, to retest on some accounts.

    Monday, November 21, 2016 4:31 PM