ADFS Extranet Lockout Protection
So you’ve configured both your Web Application Proxy (WAP) and ADFS 3.0 or ADFS 2016 (as the Microsoft documentation seem to refer to it now) servers, federated your domain and now all of your users can authenticate to Office 365 without being prompted for a username and password. You tap yourself on the back for a job well done and…
…You’ve just potentially opened the door to a mass denial of service (by way of account lockout) From my experience this is probably the most overlooked ADFS configuration setting by my clients (This is why I’ve decided to post about it even though it has been covered more than once.)
The Problem
Out of the box, both ADFS 3.0 and ADFS 2016 will allow external and internal authentication request to be sent your domain controllers; Exposing your Active Directory user accounts to get locked out after n number of unsuccessful attempts (based on your domain password policy) from outside your network (read: the internet)
While this isn’t much of an issue internally this can lead to a lot of problems if someone (a.k.a.: the infamous malicious user/employee) would want to lock out your users by trying to authenticate using their email address (extra points if your login is different from your primary email address) and a random password.
tl;dr
Out of the box, ADFS allows external authentication attemps to lock your Active Directory users. You don’t want that.
The Solution
Here comes ADFS Extranet Lockout Protection. This setting allows you to set set a maximum allowed number of failed authentication requests within a given window before ADFS stops sending them to your domain controllers.
The Settings
Configuring ADFS Extranet Lockout Protection is fairly straightforward, only 3 settings (or 4 if you use ADFS 2016) are available:
- EnableExtranetLockout: Enables Extranet Lockout Protection when set to $true.
- ExtranetLockoutThreshold: This is the maximum number of bad authentication attempts.
- ExtranetObservationWindow: This is the time window while ADFS will not send authentication attempts to Active Directory.
- ExtranetLockoutRequirePDC: When set to $false, this ADFS 2016 only setting, removes the requirement for the PDC emulator to be available for Extranet Lockout Protection to work. Setting it to $true will enable a behaviour similar to ADFS 3.0 and will require the PDC emulator to be online for authentication to work.
Caveats
Yeah sorry, this nifty little feature comes at a cost…Or at least with a few words of caution.
Multi forest environments
If you use ADFS in a multi forest environment you need to make sure that all your account lockout policies (and fine grained password policies) are in line. The extranet lockout protection applies to every domain ADFS can authenticate users to.
ADFS 3.0
Enabling this feature under ADFS 3.0 will result in your external authentication being dependant on the PDC Emulator being available at all times.
This requirement is because ADFS checks the value of the badPwdCount attribute for the user being authenticated. This attribute isn’t replicated to every domain controller; Hence the requirement for the PDC Emulator being available.
You can kiss your perfect Active Directory site/site link design (that directed cross forest authentication from ADFS to a specific site) goodbye and start making sure your ADFS servers and all your PDC Emulators (we are in a multi domain/forest scenario remember?) can communicate over port 389 (UDP and TCP)
Best Practices
First and foremost, patch your ADFS servers. Do it ASAP before enabling the Extranet Lockout Protection (especially on 2012 R2)
You want your settings to be more restrictive than your Active Directory account lockout policy so that your users don’t lock themselves out before the ADFS Extranet Lockout Protection kicks in.
Here is a typical lockout policy taken from the Default Domain Policy:
Based on the previous Active Directory Account Lockout Policy you can use PowerShell to configure the ADFS Extranet Lockout Protection in your environment with the following commands:
ADFS 3.0
ADFS 2016
To see if the settings have been correctly entered you may run the following command on your ADFS server:
And expect a similar output:
Get-AdfsProperties | fl *Extranet*ExtranetLockoutThreshold : 15
ExtranetLockoutEnabled : True
ExtranetObservationWindow : 00:30:00
ExtranetLockoutRequirePDC : True
That should be it. You have now configured Extranet Lockout Protection on ADFS 3.0 or ADFS 2016.
The next thing on your list should be to configure proper auditing on your ADFS server so you can pinpoint the source of external lockouts.
Last Words
Hopefully this post had enough information to help you setting up Extranet Lockout Protection in your ADFS environment. For more information I highly suggest you take a look at the following references:
References
- Pierre Audonnet’s excellent post about the PDC requirement.
- Microsoft’s official guide on docs.microsoft.com.
