AD FS 外部鎖定保護的設定Configure AD FS Extranet Lockout Protection

適用於:Windows Server 2016、Windows Server 2012 R2Applies To: Windows Server 2016, Windows Server 2012 R2

Windows Server 2012 R2 上 AD FS 中, 我們導入了一項稱為外部鎖定的安全性功能。In AD FS on Windows Server 2012 R2, we introduced a security feature called Extranet Lockout. 這項功能,AD FS」停止」的「惡意「使用者 account 外驗證一段時間。With this feature, AD FS will "stop" authenticating the "malicious" user account from outside for a period of time. 這會防止您帳號 Active Directory 中鎖定。This prevents your user accounts from being locked out in Active Directory. 除了從 AD 鎖定保護您的使用者,AD FS 外部鎖定也會防止猜測攻擊暴力密碼In addition to protecting your users from an AD account lockout, AD FS extranet lockout also protects against brute force password guessing attacks


此功能僅適用於外部案例當驗證要求透過應用程式網路 Proxy,僅適用於使用者名稱和密碼驗證This feature only works for the extranet scenario where the authentication requests come through the Web Application Proxy and only applies to username and password authentication.

外部鎖定優點Advantages of Extranet Lockout

外部鎖定提供下列主要優點:Extranet lockout provides the following key advantages:

  • 保護您的使用者帳號暴力攻擊攻擊嘗試猜測持續傳送驗證要求的使用者的密碼。It protects your user accounts from brute force attacks where an attacker tries to guess a user's password by continuously sending authentication requests. 若是如此,AD FS 會鎖定惡意帳號外部網路的存取In this case, AD FS will lock out the malicious user account for extranet access
  • 保護您的使用者帳號惡意鎖定攻擊要鎖定帳號,藉由傳送驗證要求的錯誤的密碼。It protects your user accounts from malicious account lockout where an attacker wants to lock out a user account by sending authentication requests with wrong passwords. 若是如此,AD FS 外部網路的存取,就會被鎖定帳號,雖然實際帳號 AD 在未鎖定和使用者仍然可以存取公司在組織中的資源。In this case, although the user account will be locked out by AD FS for extranet access, the actual user account in AD is not locked out and the user can still access corporate resources within the organization. 這稱為柔軟鎖定This is known as a soft lockout.

它的運作方式How it Works

有 3 個設定的設定,這項功能可讓您需要 AD FS:There are 3 settings in AD FS that you need to configure to enable this feature:

  • EnableExtranetLockout<布林>來設定此布林值為 True,如果您想要讓外部鎖定。EnableExtranetLockout <Boolean> set this Boolean value to be True if you want to enable Extranet Lockout.
  • ExtranetLockoutThreshold<整數>來定義的錯誤的密碼嘗試上限。ExtranetLockoutThreshold <Integer> this defines the maximum number of bad password attempts. 一旦閾值,AD FS 會立即取消要求的外部而不會嘗試是否密碼好壞,直到外部觀察視窗將會被傳遞網域控制站尋求驗證,無論。Once the threshold is reached, AD FS will immediately rejects the requests from extranet without attempting to contact the domain controller for authentication, no matter whether password is good or bad, until the extranet observation window is passed. 這表示值badPwdCount account 螢幕鎖定時不會增加 AD account 的屬性。This means the value of badPwdCount attribute of an AD account will not increase while the account is soft-locked out.
  • ExtranetObservationWindow <TimeSpan>此判斷多久使用者 account 將螢幕鎖定。AD FS 將會開始執行傳遞視窗時的使用者名稱和密碼驗證時再試一次。ExtranetObservationWindow <TimeSpan> this determines for how long the user account will be soft-locked out. AD FS will start to perform username and password authentication again when the window is passed. AD FS 使用 AD 屬性 badPasswordTime 做為參考判斷是否外部觀察視窗經過或不。AD FS uses the AD attribute badPasswordTime as the reference for determining whether the extranet observation window has passed or not. 在視窗已經通過如果目前的時間 > badPasswordTime + ExtranetObservationWindow。The window has passed if current time > badPasswordTime + ExtranetObservationWindow.


AD FS 外部鎖定獨立從 AD 鎖定原則功能。AD FS extranet lockout functions independently from the AD lockout policies. 不過,因此極力建議您將ExtranetLockoutThreshold讓參數值小於 AD account 鎖定閾值的值。However, we strongly recommend that you set the ExtranetLockoutThreshold parameter value to a value that is less than the AD account lockout threshold. 無法這樣做,會導致無法從 Active Directory 中鎖定保護帳號 AD FS。Failing to do so would result in AD FS being unable to protect accounts from being locked out in Active Directory.

讓錯誤的密碼嘗試和 30 分鐘鎖定螢幕時持續時間 15 數目最多的外部鎖定功能的範例如下:An example of enabling Extranet Lockout feature with maximum of 15 number of bad password attempts and 30 mins soft-lockout duration is as follows:

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (new-timespan -Minutes 30)

這些設定將會套用到所有網域驗證,AD FS 服務。These settings will apply to all domains that the AD FS service can authenticate. 它的運作方式是,AD FS 收到驗證要求時,它會透過 LDAP 呼叫存取主要網域控制站 (PDC),並執行的搜尋badPwdCount上 PDC 使用者屬性。The way that it works is that when AD FS receives an authentication request, it will access the Primary Domain Controller (PDC) through an LDAP call and perform a lookup for the badPwdCount attribute for the user on the PDC. 如果 AD FS 找到的值badPwdCount > = ExtranetLockoutThreshold 設定和定義外部觀察視窗中的時間超過但 AD FS 將拒絕要求,這表示不論是否使用者在輸入因為 AD FS 不會傳送至 AD 憑證登入將會失敗好壞的外部網路密碼。If AD FS finds the value of badPwdCount >= ExtranetLockoutThreshold setting and the time defined in the Extranet Observation Window has not passed yet, AD FS will reject the request immediately, which means no matter whether the user enters a good or bad password from extranet, the logon will fail because AD FS does not send the credentials to AD. AD FS 不會保留任一狀態的 regard 到badPwdCount或 [鎖定帳號。AD FS does not maintain any state with regard to badPwdCount or locked out user accounts. AD FS 使用 AD 追蹤所有狀態。AD FS uses AD for all state tracking.


當 Server 2012 R2 上 AD FS 外部鎖定為功能 WAP 透過所有驗證要求的都驗證,AD FS PDC 上。When AD FS Extranet lockout on Server 2012 R2 is enabled all authentication requests through the WAP are validated by AD FS on the PDC. 找不到 PDC 時,使用者無法從外部驗證。When the PDC is unavailble, users will be unable to authenticate from the extranet.

Server 2016 提供額外的參數,可讓到另一個網域控制站回到 AD FS 不 PDC 時:Server 2016 offers an additional parameter that allows AD FS to fallback to another domain controller when the PDC is unavailable:

  • ExtranetLockoutRequirePDC<布林> -當支援:外部鎖定需要主要網域控制站 (PDC)。ExtranetLockoutRequirePDC <Boolean> - When enabled: extranet lockout requires a primary domain controller (PDC). 停用:外部鎖定將改為其他網域控制站,以方便 PDC 不能使用。When disabled: extranet lockout will fallback to another domain controller in case the PDC is unavailable.

您可以使用下列的 Windows PowerShell 命令 AD FS 外部鎖定設定 Server 2016 上:You can use the following Windows PowerShell command to configure the AD FS extranet lockout on Server 2016:

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false

使用 Active Directory 鎖定原則Working with the Active Directory Lockout Policy

AD FS 外部鎖定功能運作方式獨立與廣告鎖定原則。The Extranet Lockout feature in AD FS works independently from the AD lockout policy. 不過,您需要確定外部鎖定已正確設定,讓它可以提供其安全性用途使用 AD 鎖定原則設定。However, you do need to make sure the settings for the Extranet Lockout is properly configured so that it can serve its security purpose with the AD lockout policy. 讓我們看看 AD 鎖定原則第一次。Let's take a look at AD lockout policy first. 廣告有關於鎖定原則三個設定:There are three settings regarding lockout policy in AD:

  • 考慮鎖定:此設定是類似 ExtranetLockoutThreshold 中的設定 AD FS。Account Lockout Threshold: this setting is similar to the ExtranetLockoutThreshold setting in AD FS. 它會判斷的登入失敗的次數,會導致帳號被鎖定。保護您的使用者帳號惡意 account 鎖定攻擊,以您想要設定的 ExtranetLockoutThreshold 值 AD FS<在 AD Account 鎖定臨界值It determines the number of failed logon attempts that will cause a user account to be locked out. In order to protect your user accounts from a malicious account lockout attack, you want to set the value of ExtranetLockoutThreshold in AD FS < the Account Lockout Threshold value in AD
  • 考慮鎖定時間:此設定會判斷多久使用者 account 被鎖定。此設定不重要更對話中為外部鎖定永遠應該 AD 鎖定發生設定是否正確前Account Lockout Duration: this setting determines for how long a user account is locked out. This setting does not matter much in this conversation as Extranet Lockout should always happen before AD lockout happens if configured properly
  • 重設 Account 鎖定計數器後:此設定會判斷多久的時間需經過之前使用者的最後一個登入失敗的badPwdCount重設為 0。Reset Account Lockout Counter After: this setting determines how much time must elapse from user's last logon failure before badPwdCount is reset to 0. 為了讓 AD FS 外部鎖定功能運作良好的廣告鎖定原則,您想要確認 ExtranetObservationWindow 值 AD FS 在>中廣告的防重設 Account 鎖定計數器之後的值。In order for Extranet Lockout feature in AD FS to work well with AD lockout policy, you want to make sure the value of ExtranetObservationWindow in AD FS > the Reset Account Lockout Counter After value in AD. 將原因範例如下。The examples below will explain why.

讓我們看看兩個範例並查看如何badPwdCount變更為不同的設定和狀態的時間。Let's take a look at two examples and see how badPwdCount changes over time based on different settings and states. 這兩個範例假設Account 鎖定= 4,ExtranetLockoutThreshold = 2。Let's assume in both examples Account Lockout Threshold = 4 and ExtranetLockoutThreshold = 2. 紅色箭號代表嘗試錯誤的密碼,遺漏鍵代表嘗試良好的密碼。The red arrow represents bad password attempt, the green arrow represents a good password attempt. 在範例 #1 ExtranetObservationWindow>重設 Account 鎖定計數器之後In example #1, ExtranetObservationWindow > Reset Account Lockout Counter After. 範例 #2,以ExtranetObservationWindow<重設 Account 鎖定計數器之後In example #2, ExtranetObservationWindow < Reset Account Lockout Counter After.

範例 1Example 1


範例 2Example 2


您可以看到從上述,有兩個條件時badPwdCount將會重設為 0。As you can see from the above, there are two conditions when badPwdCount will be reset to 0. 其中一個是時的成功登入。One is when there is a successful logon. 另一個是時所定義在重設此計數器重設 Account 鎖定計數器之後設定。The other is when it is time to reset this counter as defined in Reset Account Lockout Counter After setting. 重設 Account 鎖定計數器之後<ExtranetObservationWindow,account 不會有任何風險的廣告,鎖定。When Reset Account Lockout Counter After < ExtranetObservationWindow, an account does not have any risk of being locked out by AD. 不過,如果重設 Account 鎖定計數器之後>ExtranetObservationWindow,還有 account 可能會被鎖定的廣告,但在 [延遲方式」的機會。However, if Reset Account Lockout Counter After > ExtranetObservationWindow, there is a chance that an account may be locked out by AD but in a "delayed fashion". 可能需要一段時間郵件鎖定 AD 根據您的設定為 AD FS 之前其觀察期間只允許一個錯誤的密碼嘗試badPwdCount到達Account 鎖定It may take a while to get an account locked out by AD depending on your configuration as AD FS will only allow one bad password attempt during its observation window until badPwdCount reaches Account Lockout Threshold.

如需詳細資訊,請查看設定鎖定For more information, see Configuring Account Lockout.

已知的問題Known Issues

有一個已知的問題是因為 AD 使用者 account 無法驗證,AD FS 使用的位置badPwdCount網域控制站查詢 ADFS 不是複寫屬性。There is a known issue where the AD user account cannot authentication with AD FS because the badPwdCount attribute is not replicated to the domain controller that ADFS is querying. 查看2971171如需詳細資訊。See 2971171 for more details. 您可以找到所有 AD FS Qfe 推出到目前為止,在此You can find all AD FS QFEs that have been released so far here.

三點Key points to remember

  • [鎖定外部網路功能僅適用於外部案例驗證要求位置來自 Web 應用程式 ProxyThe Extranet Lockout feature only works for the extranet scenario where the authentication requests come through the Web Application Proxy
  • [鎖定外部網路功能僅適用於驗證使用者名稱與密碼The Extranet Lockout feature only applies to username & password authentication
  • AD FS 不會保留的任何曲目badPwdCount或使用者的軟鎖定。AD FS 使用 AD 追蹤所有狀態AD FS does not keep any track of badPwdCount or users that are soft-locked out. AD FS uses AD for all state tracking
  • AD FS 執行的查詢badPwdCount屬性 LDAP 電話上的每個驗證嘗試 PDC 使用者透過AD FS performs a lookup for the badPwdCount attribute through LDAP call for the user on the PDC for every authentication attempt
  • 如果您無法存取 PDC,將會失敗 AD FS。AD FS will fail if it cannot access the PDC. 我們正在調查進行下一個版本的 AD FS 可讓改為故障本機俠 AD FS 改進We are looking into making an improvement for the next version of AD FS that will allow AD FS to fall back to local DC in case of failure
  • AD FS 可讓驗證要求的外部如果 badPwdCount < ExtranetLockoutThresholdAD FS will allow authentication requests from extranet if badPwdCount < ExtranetLockoutThreshold
  • 如果badPwdCount >= ExtranetLockoutThresholdbadPasswordTime + ExtranetObservationWindow < 目前的時間,AD FS 可拒絕從外部驗證要求If badPwdCount >= ExtranetLockoutThreshold AND badPasswordTime + ExtranetObservationWindow < Current time, AD FS will reject authentication requests from extranet
  • 若要避免惡意鎖定,請確定ExtranetLockoutThreshold < Account 鎖定ExtranetObservationWindow > 重設鎖定計數器To avoid malicious account lockout, you should make sure ExtranetLockoutThreshold < Account Lockout Threshold AND ExtranetObservationWindow > Reset Account Lockout Counter

其他參考資料Additional references

最佳做法保護 Active Directory 同盟服務Best practices for securing Active Directory Federation Services


AD FS 作業AD FS Operations