When a company is exposed on the internet, meaning it has portals, services listening for user connections (like public websites, VPN servers, etc) it is inevitable that hackers or malicious entities discover it and try to penetrate the organization. Most of the cases this attempts mean brute-forcing passwords for known or guessed user accounts. When using Microsoft Exchange we open up so many ways for connections: Exchange SMTP for mail flow, Exchange OWA for web-base access, ActiveSync for mobile devices, Outlook Anywhere, MAPI over HTTP listener for Outlook clients, etc
If ADFS is used for authentication in the organization, user authentication attempts are challenged on-prem against the local AD. It's very convenient because of single sign-on (user uses one password once, then can access multiple resources throughout the organization) but this also means if an attacker tries the wrong passwords too many times, the AD system will lock out even our legit users from the system. It depends on our account lockout policy, usually after 5 failed attempts the user accounts are locked by the system and they might be unlocked after a certain period of time.
AD lockout settings can be configured in this location when opening gpmc.msc:
Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Account Locout Policy
To prevent that to happen, ADFS external lockout has been developed. It handles authentication requests, blocks users when getting suspicious activities from certain IP addresses, while allowing valid users continue to use their accounts.
1. Set Up ADFS External Lockout
# Enable Verbose ADFS auditing PS C:\> Set-AdfsProperties -Auditlevel verbose PS C:\> Set-ADFSProperties -LogLevel Verbose,Errors,Warnings,Information PS C:\> Restart-Service -Name adfssrv # Enable Verbose ADFS auditing PS C:\> auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable The command was successfully executed. # Configure permissions for the ADFS artifact store PS C:\> $cr = Get-Credential -Message "Admin Creds Here" -UserName alwayshotcafe\za PS C:\> Update-AdfsArtifactDatabasePermission -Credential $cr # Enable ADFS Smart Lockout PS C:\> Set-AdfsProperties -ExtranetLockoutMode ADFSSmartLockoutEnforce Confirm This command will set the extranet lockout mode to AdfsSmartLockout. Verify all nodes have up to date patches and appropriate database permissions have been assigned by running Update-AdfsArtifactDatabasePermission. See https://go.microsoft.com/fwlink/?linkid=864556 for more information. [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): y WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server in the farm. PS C:\> Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (New-TimeSpan -Minutes 30) -ExtranetLockoutRequirePDC:$false # Don't forget to restart the adfs service! PS C:\> Restart-Service -Name adfssrv
2. Verify ADFS Lockout is On
PS C:\> Get-AdfsProperties | Select Extra* ExtranetLockoutThreshold : 15 ExtranetLockoutMode : ADFSSmartLockoutEnforce ExtranetLockoutEnabled : True ExtranetObservationWindow : 00:30:00 ExtranetLockoutRequirePDC : False PS C:\>
3. Check User Lockout Status
Take a look on ADFS account activity when Alice has 15 failed logon attempts and is locked out. Note that ADFS collects info of the familiar and unknown locations. If someone tries to get in from a remote location and locks out the account, it only happens with unfamiliar IP addresses. This gives Alice more chance to log in as she is still able to log in from a trusted IP.
PS C:\> Get-AdfsAccountActivity alice@alwayshotcafe.com
Identifier : ALWAYSHOTCAFE\Alice
BadPwdCountFamiliar : 15
BadPwdCountUnknown : 0
LastFailedAuthFamiliar : 8/12/2020 4:43:17 PM
LastFailedAuthUnknown : 1/1/0001 12:00:00 AM
FamiliarLockout : True
UnknownLockout : False
FamiliarIps : {82.34.148.38}
PS C:\>
4. Unlock ADFS Locked Account
When accounts are locked, we can unlock them by location: familiar or unknown. Note, that only one location can be used at a time, if both needs unlocking, use the cmdlet with each locations separately.
# Unlock Familiar locations
PS C:\> Reset-AdfsAccountLockout alice@alwayshotcafe.com -Location familiar
# Unlock Unknown locations
PS C:\> Reset-AdfsAccountLockout alice@alwayshotcafe.com -Location unknown
# Check if account is unlocked
PS C:\> Get-AdfsAccountActivity alice@alwayshotcafe.com
Identifier : ALWAYSHOTCAFE\Alice
BadPwdCountFamiliar : 0
BadPwdCountUnknown : 0
LastFailedAuthFamiliar : 8/12/2020 4:43:17 PM
LastFailedAuthUnknown : 1/1/0001 12:00:00 AM
FamiliarLockout : False
UnknownLockout : False
FamiliarIps : {82.34.148.38}
PS C:\>
I get an error saying Update-AdfsArtifactDatabase is not a valid Powershell command. Any hints on how to get that working or what permission I need to give the service account on that Database if I go the manual route instead? Thanks.
Hi, if the Update-AdfsArtifactDatabasePermission cmdlet is not available on your ADFS server, please make sure the operating system is fully updated. The ADFS PowerShell module should contain the cmdlet, it is imported automatically when the command is run.
So Windows button/Settings/Update and go for it :)!