AD FS 2016 Extranet Smart Lockout feature

By | 19th February 2019
2 Comments

In Windows Server 2012 R2 there was already a Extranet lockout version available but this was based on a bad password count an relied on your AD PDC server to function. With update of March 2018 for Windows Server 2016 an feature has been added to the AD FS (Active Directory Federation Services) server named: Extranet Smart Lockout (ESL). This feature enable AD FS to differentiate between sign-in attempts from a valid user and sign-ins from what may be an attacker. This means AD FS can lockout attackers whilst still allowing your users to sign-in with their account. This feature better protects users against denial of service and targeted attacks.

To start using this new feature you have to ensure that all your Windows Server 2016 AD FS servers are up to date (at minimum the updates from March 2018 but hopefully your servers are fully up to date).

Prepare the database

The ESL requires your AD FS Service account to have permissions to create a new table in the AD FS artifact database. Run the following cmdlet to grant this permission, you should provide the credential of your AD FS service account which should have administrator rights:

In case you get an PS0159 error message check out this post: PS0159 the operation is not supported at the current farm behavior level 1 raise the farm to at least version 2 before retrying

If your AD FS farm is using an SQL Server then the above command might fail due to a loack of permissions on your SQL Server. You can configure the database permission manually by running the following command whist connected to the AdfsArtifactStore database:

 

Enable Extranet Smart Lockout

The ExtranetLocketMode now has three parameters which you can use, these are:

  • ADPasswordCounter – This is the legacy AD FS “extranet soft lockout” mode, which does not differentiate based on location. This is the default value.
  • ADFSSmartLockoutLogOnly – This is Extranet Smart Lockout. Instead of rejecting authentication requests, AD FS writes admin and audit events.
  • ADFSSmartLockoutEnforce – This is Extranet Smart Lockout with full support for blocking unfamiliar requests when thresholds are reached.

The first option ADPasswordCounter is the default option which was also available in the Windows Server 2012 R2 version.

I would recommend to start with the LogOnly option and monitor this for a short period before enforcing the new setting. Run the following cmdlet to enable the Smart lockout mode in log-only mode, enabling this feature does require a restart of the AD FS service.

Configure ESL Options

There are two options you can configure with ESL these are the Lockout threshold and the observation window.

  • Lockout Threshold setting

When an authentication is successful the AD FS stores the (client) IP number from where the authentication took place as a familiar location in the account activity table. When an authentication attempt fails and the source IP does not match a familiar location, the failed authentication count is incremented.

If the failed attempts from an unfamiliar reaches the lockout threshold and the failed authentication is from an unfamiliar location the account is locked out.

You can set the threshold using this cmdlet:

  • Observation window setting

Once the account is locked the observation window setting is used. This is the time in minutes that an account remains locked, after the account unlocks, only one authentication attempt is allowed. If this one authentication attempt is successful the ‘failed authentication count’ is reset to 0, if the authentication attempt fails the account will remain locked for an additional observation window after which the accounts once again unlocks and one authentication attempt is allowed.

You can set the Observation window using this cmdlet:

Enable lockout

You can enable or disable the extranet lockout using either one of these cmdlets:

Enfore SmartLockout

Once you’ve monitored your environment for a couple of days and you want to enforce the setting you can set your environment to enforce the setting by running this cmdlet after which you will need to restart the adfs service to activate the new setting:

User activity

In a separate blog I will go into more detail on this subject, below is a summary on how to monitor user activity.

You can find the account activity by running this cmdlet: Get-AdfsAccountActivity

You can manually add a familiar location to a user or erase state for an account

Reset the lockout counter for an user account




I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me:

2 thoughts on “AD FS 2016 Extranet Smart Lockout feature

  1. Todd Goodsite

    Using the internal Windows Database and when I run this command Update-AdfsArtifactDatabasePermission -Credential $Credential it is successful, however when I run the diagnositc tool it keeps telling me The ADFS service account has insufficent privileges to create the Account Activity database. I’ve run that command several times, rebooted etc but diagnositc keeps giving me that error.

    Reply
  2. Andrew

    I just wanted to note that this note for SQL server:

    ALTER AUTHORIZATION ON SCHEMA::[ArtifactStore] TO [db_genevaservice]

    Is insufficient – schema ownership does not grant the CREATE TABLE right and this feature requires the creation of a table in the database. An error is logged in the AD FS admin log regarding the failure to create the new table each time the service is restarted. I couldn’t find any information about the best way to resolve this, so I just granted CREATE TABLE permission to the db_genevaservice role on the AdfsArtifactStore database and the table was created.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.