Here are some of the things I have found while setting up Extranet Smart Lockout on ADFS 2016. For the most part everything is very straight forward.
This blog is my notes about configuring this and is not meant to be a replacement for the actual instructions:
This article was originally published on 7/26/2018
Enable ADFS Logging
Enable Extranet Lockout Logging
Note: pay attention to the BannedIPList, while troubleshooting an issue where external logons where failing after the update, the second an IP went into the BannedIPList it didn’t seem to matter what the Mode was set to or that it wasn’t enabled.
Test Extranet Smart Lockout
Open web browser of choice and go to adfs’s external IdpInitiatedSignon, may have to update host file to external IP
You may have to enable: How to Enable IdpInitiatedSignon Page In AD FS 2016
Entered bad passwords for a user multiple times
On the ADFS Server the following events are in the Security Event Log
Event ID 1203
*I like that the log calls out the proxy server the user is coming through
Event ID 1201
Event ID 4625
*The ip in this event is not the client ip’s
Once the lockout occurs Event ID 1210
One question I need to get an answer on is what if the IP Address in 1201 or 1203 is the load balancer not the actual client? Updated 7/27/2018. if the IP Address is the Load Balancer than more than likely the WAP’s and/or ADFS’s Load Balancer is not configured to send the client IP in the X-MS-Forwarded-For header. Work with the LB Vendor to figure out correct configuration.
One of the main reasons for this feature is Legacy Authentications coming from Exchange Online / Office 365. In order to test this logon type can be duplicated by creating a new account in outlook and manually configuring exchange activesync to outlook.office365.com server.
Enforce Extranet Smart Lockout
First test, will continue with the same user and will enter multiple (20 or so) bad passwords.
*note once it is enforced the User’s Active Directory Account does not increment past the unknown threshold.
Next use a different account and perform a good password logon.
Repeat the logon to ADFS with several bad passwords
That is all for today. As I was running through the instructions and wasn’t sure what I should be seeing I figured I would share what was experienced. Next Topic will be on Banned IP’s