My Notes On Setting Up ADFS 2016 Extranet Smart Lockout

Here are some of the things I have found while setting up Extranet Smart Lockout on ADFS 2016.  For the most part everything is very straight forward.

This blog is my notes about configuring this and is not meant to be a replacement for the actual instructions:

Description of the Extranet Smart Lockout feature in Windows Server 2016

AD FS Extranet Lockout and Extranet Smart Lockout

This article was originally published on 7/26/2018

Enable ADFS Logging

 # This will Add the audit settings to your existing settings
 set-AdfsProperties -LogLevel ((Get-AdfsProperties).LogLevel+'SuccessAudits','FailureAudits')
 # Or just add all the logging
 Set-ADFSProperties -LogLevel Verbose,Errors,Warnings,Information,SuccessAudits,FailureAudits
 #validate SuccessAudit and FailureAudits is set
 (Get-AdfsProperties).loglevel
  
 #Make Sure the Security Audit Policy is enabled
 auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
 #validate
 auditpol.exe /get /subcategory:"Application Generated"

clip_image001

Enable Extranet Lockout Logging

 #it will prompt for an account use an account with ADFS Administrators Rights
 Update-AdfsArtifactDatabasePermission
 <#Note if WINRM isn't working correctly on the ADFS Farm Nodes, it will display a message very similar to that the patch is missing.#>
  
 #Enable Log Only First and Monitor lockout activity
 Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly

clip_image001[5]

 #restart the adfs service
 restart-service adfss*

clip_image001[7]

 #The lockout Threshold is the number of failed password attempts that must occur from a unfamiliar location
 #before the account gets locked out from the ADFS Side.
 Set-AdfsProperties -ExtranetLockoutThreshold 10
 (Get-AdfsProperties).ExtranetLockoutThreshold

clip_image001[9]

 #the observation window is the amount of time that must pass before the extranet lockout
 #automatically unlocks
 Set-AdfsProperties -ExtranetObservationWindow ( new-timespan -minutes 15 )
 (get-AdfsProperties).ExtranetObservationWindow

clip_image001[11]

 #enable Extranet Lockout
 Set-AdfsProperties -EnableExtranetLockout $true
 #Validate
 get-AdfsProperties | select *lock*,bannediplist | fl

clip_image001[13]

clip_image002

Note: pay attention to the BannedIPList, while troubleshooting an issue where external logons where failing after the update, the second an IP went into the BannedIPList it didn’t seem to matter what the Mode was set to or that it wasn’t enabled.

Test Extranet Smart Lockout

Open web browser of choice and go to adfs’s external IdpInitiatedSignon, may have to update host file to external IP

You may have to enable: How to Enable IdpInitiatedSignon Page In AD FS 2016

Entered bad passwords for a user multiple times

image

 #Check the users ADFS Account Activity
 Get-ADFSAccountActivity useremailaddress/upn
 Get-ADFSAccountActivity Aedan.Stokes@16lab.chadcolabs.us
 #check to see if the users bad password account in AD is increasing
 get-aduser samaccountname -properties badPwdCount,lockedout
 get-aduser 112571 -properties badPwdCount,lockedout

clip_image001[15]

clip_image002[5]

On the ADFS Server the following events are in the Security Event Log

clip_image001[17]

Event ID 1203

 The Federation Service failed to validate a new credential. See XML for failure details. 
  
 Activity ID: b71497c7-bb2d-496b-ff1e-0080000000c8 
  
 Additional Data 
 XML: <?xml version="1.0" encoding="utf-16"?>
 <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit">
   <AuditType>FreshCredentials</AuditType>
   <AuditResult>Failure</AuditResult>
   <FailureType>CredentialValidationError</FailureType>
   <ErrorCode>N/A</ErrorCode>
   <ContextComponents>
     <Component xsi:type="ResourceAuditComponent">
       <RelyingParty>http://sts.16lab.chadcolabs.us/adfs/services/trust</RelyingParty>
       <ClaimsProvider>N/A</ClaimsProvider>
       <UserId>Aedan.Stokes@16lab.chadcolabs.us</UserId>
     </Component>
     <Component xsi:type="AuthNAuditComponent">
       <PrimaryAuth>N/A</PrimaryAuth>
       <DeviceAuth>false</DeviceAuth>
       <DeviceId>N/A</DeviceId>
       <MfaPerformed>false</MfaPerformed>
       <MfaMethod>N/A</MfaMethod>
       <TokenBindingProvidedId>false</TokenBindingProvidedId>
       <TokenBindingReferredId>false</TokenBindingReferredId>
       <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
     </Component>
     <Component xsi:type="ProtocolAuditComponent">
       <OAuthClientId>N/A</OAuthClientId>
       <OAuthGrant>N/A</OAuthGrant>
     </Component>
     <Component xsi:type="RequestAuditComponent">
       <Server>http://sts.16lab.chadcolabs.us/adfs/services/trust</Server>
       <AuthProtocol>SAMLP</AuthProtocol>
       <NetworkLocation>Extranet</NetworkLocation>
       <IpAddress>10.10.10.25</IpAddress>
       <ForwardedIpAddress>10.10.10.25</ForwardedIpAddress>
       <ProxyIpAddress>N/A</ProxyIpAddress>
       <NetworkIpAddress>N/A</NetworkIpAddress>
       <ProxyServer>16LAB-WAP1</ProxyServer>
       <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134</UserAgentString>
       <Endpoint>/adfs/ls/idpinitiatedsignon</Endpoint>
     </Component>
   </ContextComponents>
 </AuditBase>

 

*I like that the log calls out the proxy server the user is coming through

Event ID 1201

 The Federation Service failed to issue a valid token. See XML for failure details. 
  
 Activity ID: b71497c7-bb2d-496b-ff1e-0080000000c8 
  
 Additional Data 
 XML: <?xml version="1.0" encoding="utf-16"?>
 <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
   <AuditType>AppToken</AuditType>
   <AuditResult>Failure</AuditResult>
   <FailureType>GenericError</FailureType>
   <ErrorCode>N/A</ErrorCode>
   <ContextComponents>
     <Component xsi:type="ResourceAuditComponent">
       <RelyingParty>http://sts.16lab.chadcolabs.us/adfs/services/trust</RelyingParty>
       <ClaimsProvider>N/A</ClaimsProvider>
       <UserId>Aedan.Stokes@16lab.chadcolabs.us</UserId>
     </Component>
     <Component xsi:type="AuthNAuditComponent">
       <PrimaryAuth>N/A</PrimaryAuth>
       <DeviceAuth>false</DeviceAuth>
       <DeviceId>N/A</DeviceId>
       <MfaPerformed>false</MfaPerformed>
       <MfaMethod>N/A</MfaMethod>
       <TokenBindingProvidedId>false</TokenBindingProvidedId>
       <TokenBindingReferredId>false</TokenBindingReferredId>
       <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
     </Component>
     <Component xsi:type="ProtocolAuditComponent">
       <OAuthClientId>N/A</OAuthClientId>
       <OAuthGrant>N/A</OAuthGrant>
     </Component>
     <Component xsi:type="RequestAuditComponent">
       <Server>http://sts.16lab.chadcolabs.us/adfs/services/trust</Server>
       <AuthProtocol>SAMLP</AuthProtocol>
       <NetworkLocation>Extranet</NetworkLocation>
       <IpAddress>10.10.10.25</IpAddress>
       <ForwardedIpAddress>10.10.10.25</ForwardedIpAddress>
       <ProxyIpAddress>N/A</ProxyIpAddress>
       <NetworkIpAddress>N/A</NetworkIpAddress>
       <ProxyServer>16LAB-WAP1</ProxyServer>
       <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134</UserAgentString>
       <Endpoint>/adfs/ls/idpinitiatedsignon</Endpoint>
     </Component>
   </ContextComponents>
 </AuditBase>

Event ID 4625

 An account failed to log on.
  
 Subject:
     Security ID:        NULL SID
     Account Name:        -
     Account Domain:        -
     Logon ID:        0x0
  
 Logon Type:            3
  
 Account For Which Logon Failed:
     Security ID:        NULL SID
     Account Name:        ADMINISTRATOR
     Account Domain:        
  
 Failure Information:
     Failure Reason:        Unknown user name or bad password.
     Status:            0xC000006D
     Sub Status:        0xC0000064
  
 Process Information:
     Caller Process ID:    0x0
     Caller Process Name:    -
  
 Network Information:
     Workstation Name:    -
     Source Network Address:    108.30.90.24
     Source Port:        0
  
 Detailed Authentication Information:
     Logon Process:        NtLmSsp 
     Authentication Package:    NTLM
     Transited Services:    -
     Package Name (NTLM only):    -
     Key Length:        0

*The ip in this event is not the client ip’s

Once the lockout occurs Event ID 1210

 An extranet lockout event has occurred. See XML for failure details. 
  
 Activity ID: f84f9e76-a6ba-49eb-5401-0080000000c7 
  
 Additional Data 
 XML: <?xml version="1.0" encoding="utf-16"?>
 <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ExtranetLockoutAudit">
   <AuditType>ExtranetLockout</AuditType>
   <AuditResult>Failure</AuditResult>
   <FailureType>ExtranetLockoutError</FailureType>
   <ErrorCode>AccountRestrictedAudit</ErrorCode>
   <ContextComponents>
     <Component xsi:type="ResourceAuditComponent">
       <RelyingParty>http://sts.16lab.chadcolabs.us/adfs/services/trust</RelyingParty>
       <ClaimsProvider>N/A</ClaimsProvider>
       <UserId>CONTOSO\225866</UserId>
     </Component>
     <Component xsi:type="RequestAuditComponent">
       <Server>N/A</Server>
       <AuthProtocol>SAMLP</AuthProtocol>
       <NetworkLocation>Extranet</NetworkLocation>
       <IpAddress>10.10.10.25</IpAddress>
       <ForwardedIpAddress>10.10.10.25</ForwardedIpAddress>
       <ProxyIpAddress>N/A</ProxyIpAddress>
       <NetworkIpAddress>N/A</NetworkIpAddress>
       <ProxyServer>16LAB-WAP1</ProxyServer>
       <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134</UserAgentString>
       <Endpoint>/adfs/ls/idpinitiatedsignon</Endpoint>
     </Component>
     <Component xsi:type="LockoutConfigAuditComponent">
       <CurrentBadPasswordCount>10</CurrentBadPasswordCount>
       <ConfigBadPasswordCount>10</ConfigBadPasswordCount>
       <LastBadAttempt>07/26/2018 18:22:10</LastBadAttempt>
       <LockoutWindowConfig>00:15:00</LockoutWindowConfig>
     </Component>
   </ContextComponents>
 </AuditBase>

One question I need to get an answer on is what if the IP Address in 1201 or 1203 is the load balancer not the actual client? Updated 7/27/2018. if the IP Address is the Load Balancer than more than likely the WAP’s and/or ADFS’s Load Balancer is not configured to send the client IP in the X-MS-Forwarded-For header.  Work with the LB Vendor to figure out correct configuration.

One of the main reasons for this feature is Legacy Authentications coming from Exchange Online / Office 365.  In order to test this logon type can be duplicated by creating a new account in outlook and manually configuring exchange activesync to outlook.office365.com server.

image

Enforce Extranet Smart Lockout

 #after you review the logs and feel comfortable enable ADFS Smart Lockout
 Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce
 #restart adfs service can use -computername and pass each adfs node from the farm
 Restart-service adfssrv
  
 #Validate
 get-AdfsProperties | select *lock*,bannediplist | fl

clip_image001[19]

clip_image002[7]

First test, will continue with the same user and will enter multiple (20 or so) bad passwords.

 Get-ADFSAccountActivity Aedan.Stokes@16lab.chadcolabs.us
 get-aduser 112571 -properties badPwdCount,lockedout

image

*note once it is enforced the User’s Active Directory Account does not increment past the unknown threshold.

Next use a different account and perform a good password logon.

 #view the ADFS Account Activity
 Get-ADFSAccountActivity Abdiel.Conrad@16lab.chadcolabs.us
 #a Familiar IP is listed

clip_image001[21]

Repeat the logon to ADFS with several bad passwords

 #view the ADFS Account Activity
 Get-ADFSAccountActivity Abdiel.Conrad@16lab.chadcolabs.us
 #note the Familiar Lockout is now set to true
 get-aduser 225866 -properties badPwdCount,lockedout

clip_image001[23]

That is all for today.  As I was running through the instructions and wasn’t sure what I should be seeing I figured I would share what was experienced. Next Topic will be on Banned IP’s

-Chad