My Notes On Setting Up ADFS 2016 Extranet Smart Lockout


Here are some of the things I have found while setting up Extranet Smart Lockout on ADFS 2016.  For the most part everything is very straight forward.

This blog is my notes about configuring this and is not meant to be a replacement for the actual instructions:

Description of the Extranet Smart Lockout feature in Windows Server 2016

AD FS Extranet Lockout and Extranet Smart Lockout

This article was originally published on 7/26/2018

Enable ADFS Logging

# This will Add the audit settings to your existing settings
set-AdfsProperties -LogLevel ((Get-AdfsProperties).LogLevel+'SuccessAudits','FailureAudits')
# Or just add all the logging
Set-ADFSProperties -LogLevel Verbose,Errors,Warnings,Information,SuccessAudits,FailureAudits
#validate SuccessAudit and FailureAudits is set
(Get-AdfsProperties).loglevel
 
#Make Sure the Security Audit Policy is enabled
auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
#validate
auditpol.exe /get /subcategory:"Application Generated"

clip_image001

Enable Extranet Lockout Logging

#it will prompt for an account use an account with ADFS Administrators Rights
Update-AdfsArtifactDatabasePermission
<#Note if WINRM isn't working correctly on the ADFS Farm Nodes, it will display a message very similar to that the patch is missing.#>
 
#Enable Log Only First and Monitor lockout activity
Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly

clip_image001[5]

#restart the adfs service
restart-service adfss*

clip_image001[7]

#The lockout Threshold is the number of failed password attempts that must occur from a unfamiliar location
#before the account gets locked out from the ADFS Side.
Set-AdfsProperties -ExtranetLockoutThreshold 10
(Get-AdfsProperties).ExtranetLockoutThreshold

clip_image001[9]

#the observation window is the amount of time that must pass before the extranet lockout
#automatically unlocks
Set-AdfsProperties -ExtranetObservationWindow ( new-timespan -minutes 15 )
(get-AdfsProperties).ExtranetObservationWindow

clip_image001[11]

#enable Extranet Lockout
Set-AdfsProperties -EnableExtranetLockout $true
#Validate
get-AdfsProperties | select *lock*,bannediplist | fl

clip_image001[13]

clip_image002

Note: pay attention to the BannedIPList, while troubleshooting an issue where external logons where failing after the update, the second an IP went into the BannedIPList it didn’t seem to matter what the Mode was set to or that it wasn’t enabled.

Test Extranet Smart Lockout

Open web browser of choice and go to adfs’s external IdpInitiatedSignon, may have to update host file to external IP

You may have to enable: How to Enable IdpInitiatedSignon Page In AD FS 2016

Entered bad passwords for a user multiple times

image

#Check the users ADFS Account Activity
Get-ADFSAccountActivity useremailaddress/upn
Get-ADFSAccountActivity Aedan.Stokes@16lab.chadcolabs.us
#check to see if the users bad password account in AD is increasing
get-aduser samaccountname -properties badPwdCount,lockedout
get-aduser 112571 -properties badPwdCount,lockedout

clip_image001[15]

clip_image002[5]

On the ADFS Server the following events are in the Security Event Log

clip_image001[17]

Event ID 1203

The Federation Service failed to validate a new credential. See XML for failure details. 
 
Activity ID: b71497c7-bb2d-496b-ff1e-0080000000c8 
 
Additional Data 
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit">
  <AuditType>FreshCredentials</AuditType>
  <AuditResult>Failure</AuditResult>
  <FailureType>CredentialValidationError</FailureType>
  <ErrorCode>N/A</ErrorCode>
  <ContextComponents>
    <Component xsi:type="ResourceAuditComponent">
      <RelyingParty>http://sts.16lab.chadcolabs.us/adfs/services/trust</RelyingParty>
      <ClaimsProvider>N/A</ClaimsProvider>
      <UserId>Aedan.Stokes@16lab.chadcolabs.us</UserId>
    </Component>
    <Component xsi:type="AuthNAuditComponent">
      <PrimaryAuth>N/A</PrimaryAuth>
      <DeviceAuth>false</DeviceAuth>
      <DeviceId>N/A</DeviceId>
      <MfaPerformed>false</MfaPerformed>
      <MfaMethod>N/A</MfaMethod>
      <TokenBindingProvidedId>false</TokenBindingProvidedId>
      <TokenBindingReferredId>false</TokenBindingReferredId>
      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
    </Component>
    <Component xsi:type="ProtocolAuditComponent">
      <OAuthClientId>N/A</OAuthClientId>
      <OAuthGrant>N/A</OAuthGrant>
    </Component>
    <Component xsi:type="RequestAuditComponent">
      <Server>http://sts.16lab.chadcolabs.us/adfs/services/trust</Server>
      <AuthProtocol>SAMLP</AuthProtocol>
      <NetworkLocation>Extranet</NetworkLocation>
      <IpAddress>10.10.10.25</IpAddress>
      <ForwardedIpAddress>10.10.10.25</ForwardedIpAddress>
      <ProxyIpAddress>N/A</ProxyIpAddress>
      <NetworkIpAddress>N/A</NetworkIpAddress>
      <ProxyServer>16LAB-WAP1</ProxyServer>
      <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134</UserAgentString>
      <Endpoint>/adfs/ls/idpinitiatedsignon</Endpoint>
    </Component>
  </ContextComponents>
</AuditBase>

 

*I like that the log calls out the proxy server the user is coming through

Event ID 1201

The Federation Service failed to issue a valid token. See XML for failure details. 
 
Activity ID: b71497c7-bb2d-496b-ff1e-0080000000c8 
 
Additional Data 
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
  <AuditType>AppToken</AuditType>
  <AuditResult>Failure</AuditResult>
  <FailureType>GenericError</FailureType>
  <ErrorCode>N/A</ErrorCode>
  <ContextComponents>
    <Component xsi:type="ResourceAuditComponent">
      <RelyingParty>http://sts.16lab.chadcolabs.us/adfs/services/trust</RelyingParty>
      <ClaimsProvider>N/A</ClaimsProvider>
      <UserId>Aedan.Stokes@16lab.chadcolabs.us</UserId>
    </Component>
    <Component xsi:type="AuthNAuditComponent">
      <PrimaryAuth>N/A</PrimaryAuth>
      <DeviceAuth>false</DeviceAuth>
      <DeviceId>N/A</DeviceId>
      <MfaPerformed>false</MfaPerformed>
      <MfaMethod>N/A</MfaMethod>
      <TokenBindingProvidedId>false</TokenBindingProvidedId>
      <TokenBindingReferredId>false</TokenBindingReferredId>
      <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
    </Component>
    <Component xsi:type="ProtocolAuditComponent">
      <OAuthClientId>N/A</OAuthClientId>
      <OAuthGrant>N/A</OAuthGrant>
    </Component>
    <Component xsi:type="RequestAuditComponent">
      <Server>http://sts.16lab.chadcolabs.us/adfs/services/trust</Server>
      <AuthProtocol>SAMLP</AuthProtocol>
      <NetworkLocation>Extranet</NetworkLocation>
      <IpAddress>10.10.10.25</IpAddress>
      <ForwardedIpAddress>10.10.10.25</ForwardedIpAddress>
      <ProxyIpAddress>N/A</ProxyIpAddress>
      <NetworkIpAddress>N/A</NetworkIpAddress>
      <ProxyServer>16LAB-WAP1</ProxyServer>
      <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134</UserAgentString>
      <Endpoint>/adfs/ls/idpinitiatedsignon</Endpoint>
    </Component>
  </ContextComponents>
</AuditBase>

Event ID 4625

An account failed to log on.
 
Subject:
    Security ID:        NULL SID
    Account Name:        -
    Account Domain:        -
    Logon ID:        0x0
 
Logon Type:            3
 
Account For Which Logon Failed:
    Security ID:        NULL SID
    Account Name:        ADMINISTRATOR
    Account Domain:        
 
Failure Information:
    Failure Reason:        Unknown user name or bad password.
    Status:            0xC000006D
    Sub Status:        0xC0000064
 
Process Information:
    Caller Process ID:    0x0
    Caller Process Name:    -
 
Network Information:
    Workstation Name:    -
    Source Network Address:    108.30.90.24
    Source Port:        0
 
Detailed Authentication Information:
    Logon Process:        NtLmSsp 
    Authentication Package:    NTLM
    Transited Services:    -
    Package Name (NTLM only):    -
    Key Length:        0

*The ip in this event is not the client ip’s

Once the lockout occurs Event ID 1210

An extranet lockout event has occurred. See XML for failure details. 
 
Activity ID: f84f9e76-a6ba-49eb-5401-0080000000c7 
 
Additional Data 
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ExtranetLockoutAudit">
  <AuditType>ExtranetLockout</AuditType>
  <AuditResult>Failure</AuditResult>
  <FailureType>ExtranetLockoutError</FailureType>
  <ErrorCode>AccountRestrictedAudit</ErrorCode>
  <ContextComponents>
    <Component xsi:type="ResourceAuditComponent">
      <RelyingParty>http://sts.16lab.chadcolabs.us/adfs/services/trust</RelyingParty>
      <ClaimsProvider>N/A</ClaimsProvider>
      <UserId>CONTOSO\225866</UserId>
    </Component>
    <Component xsi:type="RequestAuditComponent">
      <Server>N/A</Server>
      <AuthProtocol>SAMLP</AuthProtocol>
      <NetworkLocation>Extranet</NetworkLocation>
      <IpAddress>10.10.10.25</IpAddress>
      <ForwardedIpAddress>10.10.10.25</ForwardedIpAddress>
      <ProxyIpAddress>N/A</ProxyIpAddress>
      <NetworkIpAddress>N/A</NetworkIpAddress>
      <ProxyServer>16LAB-WAP1</ProxyServer>
      <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134</UserAgentString>
      <Endpoint>/adfs/ls/idpinitiatedsignon</Endpoint>
    </Component>
    <Component xsi:type="LockoutConfigAuditComponent">
      <CurrentBadPasswordCount>10</CurrentBadPasswordCount>
      <ConfigBadPasswordCount>10</ConfigBadPasswordCount>
      <LastBadAttempt>07/26/2018 18:22:10</LastBadAttempt>
      <LockoutWindowConfig>00:15:00</LockoutWindowConfig>
    </Component>
  </ContextComponents>
</AuditBase>

One question I need to get an answer on is what if the IP Address in 1201 or 1203 is the load balancer not the actual client?  Updated 7/27/2018.  if the IP Address is the Load Balancer than more than likely the WAP’s and/or ADFS’s Load Balancer is not configured to send the client IP in the X-MS-Forwarded-For header.  Work with the LB Vendor to figure out correct configuration.

One of the main reasons for this feature is Legacy Authentications coming from Exchange Online / Office 365.  In order to test this logon type can be duplicated by creating a new account in outlook and manually configuring exchange activesync to outlook.office365.com server.

image

Enforce Extranet Smart Lockout

#after you review the logs and feel comfortable enable ADFS Smart Lockout
Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce
#restart adfs service can use -computername and pass each adfs node from the farm
Restart-service adfssrv
 
#Validate
get-AdfsProperties | select *lock*,bannediplist | fl

clip_image001[19]

clip_image002[7]

First test, will continue with the same user and will enter multiple (20 or so) bad passwords.

Get-ADFSAccountActivity Aedan.Stokes@16lab.chadcolabs.us
get-aduser 112571 -properties badPwdCount,lockedout

image

*note once it is enforced the User’s Active Directory Account does not increment past the unknown threshold.

Next use a different account and perform a good password logon.

#view the ADFS Account Activity
Get-ADFSAccountActivity Abdiel.Conrad@16lab.chadcolabs.us
#a Familiar IP is listed

clip_image001[21]

Repeat the logon to ADFS with several bad passwords

#view the ADFS Account Activity
Get-ADFSAccountActivity Abdiel.Conrad@16lab.chadcolabs.us
#note the Familiar Lockout is now set to true
get-aduser 225866 -properties badPwdCount,lockedout

clip_image001[23]

That is all for today.  As I was running through the instructions and wasn’t sure what I should be seeing I figured I would share what was experienced. Next Topic will be on Banned IP’s

-Chad

Comments (0)

Skip to main content