Home
%3CLINGO-SUB%20id%3D%22lingo-sub-356551%22%20slang%3D%22en-US%22%3ETough%20Questions%20Answered%3A%20Addressing%20Account%20Lockout%20via%20Adjusting%20Lockout%20Threshold%20in%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-356551%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22site%20container-fluid%22%20id%3D%22page%22%3E%0A%3CDIV%20class%3D%22site-content%20row%22%20id%3D%22site-content%22%3E%0A%3CDIV%20class%3D%22content-area%20col-sm-9%22%20id%3D%22primary%22%3E%0A%3CDIV%20class%3D%22div-content%22%20id%3D%22single-content%22%3E%0A%3CARTICLE%20class%3D%22post-4475%20post%20type-post%20status-publish%20format-standard%20hentry%20category-adfs%20tag-account-locked-out%20tag-adfs-extranet-lokout%20tag-adfs-soft-lockout%20tag-eventid-411%20tag-extranet-lockout%22%20id%3D%22post-4475%22%3E%0A%3CDIV%20class%3D%22entry-content%20single%22%3E%0A%3CP%3EThis%20time%20I%20was%20involved%20in%20a%20root%20cause%20analysis%20on%20a%20customer%20site%20after%20a%20brute%20force%20attack%20vs%20some%20ADFS%20endpoints.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20give%20you%20an%20overview%20of%20the%20infrastructure.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EENVIRONMENT%20DESCRIPTION%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20customer%20environment%20is%20very%20huge%20and%20complex%2C%20but%20I%20have%20simplified%20it%20in%20the%20following%20picture%3A%3C%2FP%3E%0A%3CP%3E%3CIMG%20alt%3D%22%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2018%2F08%2F082118_0940_EveniftheEx1.png%22%20border%3D%220%22%20%2F%3E%3C%2FP%3E%0A%3CP%3EHas%20you%20can%20see%20we%20have%20two%20forests%20one%20is%20a%20logon%20forest%20(where%20the%20users%20are)%20and%20one%20is%20a%20resource%20forest%2C%20where%20we%20have%20the%20ADFS%20Servers%20that%20are%20running.%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20table%20you%20can%20find%20the%20server%20version%20of%20the%20environments%3A%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CTABLE%20border%3D%220%22%3E%3CCOLGROUP%3E%3CCOL%20%2F%3E%3CCOL%20%2F%3E%3C%2FCOLGROUP%3E%0A%3CTBODY%20valign%3D%22top%22%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EDescription%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EType%20of%20OS%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSTRONG%3EWAP%20Version%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3EWindows%20Server%202012R2%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSTRONG%3EADFS%20Version%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3EWindows%20Server%202012R2%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSTRONG%3EDC%20Version%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3EWindows%20Server%202008R2%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EPROBLEM%20DESCRIPTION%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20Customer%20unfortunately%20was%20recently%20exposed%20to%20a%20brute%20force%20attack%2C%20and%20even%20if%20they%20had%20configured%20the%20%3CSTRONG%3EADFS%20Extranet%20Lockout%3C%2FSTRONG%3E%2C%20multiple%20accounts%20was%20locked%20outs%2C%20(more%20important%20the%20%3CSTRONG%3ESenior%20Admin%3C%2FSTRONG%3E%20account%20was%20also%20%3CEM%3Elocked%20out%3C%2FEM%3E!).%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Customer%20want%20to%20understand%20why%20this%20happens%20even%20if%20the%20Extranet%20Lockout%20is%20enabled.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3ETROUBLESHOOTING%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ETo%20reproduce%20this%20problem%2C%20we%20involved%20the%20security%20team%20of%20the%20Customer%20(a%20big%20thanks%20to%20them!)%20for%20generating%20a%20brute%20force%20attack%20against%20the%20ADFS%20Servers.%20(don't%20ask%3A%20which%20tools%20have%20you%20used%3F%20I%20can't%20tell%20you)%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EBefore%20starting%20the%20simulation%20of%20the%20brute%20force%20attack%20we%20have%20verified%20the%20%3CSTRONG%3ELockout%20configuration%20in%20the%20environment%3C%2FSTRONG%3E%3A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EOn%20the%20ADFS%20Configuration%3A%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%3E%0A%3CTABLE%20border%3D%220%22%3E%3CCOLGROUP%3E%3CCOL%20%2F%3E%3CCOL%20%2F%3E%3C%2FCOLGROUP%3E%0A%3CTBODY%20valign%3D%22top%22%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3ESettings%20on%20ADFS%20Servers%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EValue%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3EEnableExtranetLockout%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E%24true%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3EExtranetObservationWindow%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E30%20min%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3EExtranetLockoutThreshold%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E3%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EOn%20the%20Active%20Directory%3A%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%3E%0A%3CTABLE%20border%3D%220%22%3E%3CCOLGROUP%3E%3CCOL%20%2F%3E%3CCOL%20%2F%3E%3C%2FCOLGROUP%3E%0A%3CTBODY%20valign%3D%22top%22%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3ESettings%20on%20Domain%20Controllers%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EValue%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3EAccount%20lockout%20threshold%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E5%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%3E%3CP%3E%3CSPAN%3EAccount%20lockout%20duration%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%3E%3CP%3E10%20min%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CDIV%3EThen%20we%20have%20enabled%20the%20Audit%20logs%20for%20the%20ADFS%20Servers%3A%20%3CA%20title%3D%22How%20to%20enable%20auditing%20for%20AD%20FS%22%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fbulentozkir%2F2016%2F05%2F11%2Fho-can-you-enable-auditing-for-ad-fs%2F%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHow-to%20details%20can%20be%20found%20here%3C%2FA%3E%3C%2FDIV%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CDIV%3EBy%20using%20a%20third-party%20tool%2C%20to%20simulate%20a%20brute%20force%20attack%2C%20we%20reproduced%20the%20problem%2C%20and%20one%20of%20the%20tests%20accounts%20was%20locked%20out%20due%20to%20many%20failed%20login%20attempts%2C%20and%20from%20the%20logs%20we%20were%20able%20to%20view%20the%20exact%20cause%20(%3CSPAN%3Eplease%2C%20read%20the%20logs%20from%20the%20bottom%20to%20the%20top%3C%2FSPAN%3E%3A(%3C%2Fimg%3E%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20603px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F56440i15B013307ED45A85%2Fimage-dimensions%2F603x1163%3Fv%3D1.0%22%20width%3D%22603%22%20height%3D%221163%22%20alt%3D%22Table.png%22%20title%3D%22Table.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CDIV%3EThe%20row%20indicated%20by%20the%20%3CFONT%20color%3D%22%233366ff%22%3E%3CSPAN%3E%3CSTRONG%3Eblue%20rectangle%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FFONT%3E%2C%20indicating%20the%20event%20%3CSTRONG%3E516%3C%2FSTRONG%3E%20on%20the%20ADFS%20server%2C%20show%20that%20the%20%3CSTRONG%3EUser01%20%3C%2FSTRONG%3Eis%20%3CSTRONG%3Eblocked%3C%2FSTRONG%3E%20by%20the%20soft%20Lockout%20on%20the%20ADFS%20Server.%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CDIV%3EThe%20row%20indicated%20by%20the%20%3CFONT%20color%3D%22%23008000%22%3E%3CSPAN%3E%3CSTRONG%3Egreen%20rectangle%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FFONT%3E%2C%20indicating%20the%20event%20%3CSTRONG%3E512%3C%2FSTRONG%3E%20on%20the%20ADFS%20server%2C%20show%20an%20authentication%20for%20the%20%3CSTRONG%3EUser01%3C%2FSTRONG%3E%20was%20%3CSTRONG%3Epermitted%20%3C%2FSTRONG%3Eafter%20the%20end%20of%20the%20%3CSTRONG%3E%3CSPAN%3EExtranetObservationWindow%3C%2FSPAN%3E.%3C%2FSTRONG%3E%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CDIV%3EThe%20rows%20indicated%20by%20the%20%3CFONT%20color%3D%22%23ffff00%22%3E%3CSPAN%3E%3CSTRONG%3Eyellow%20rectangles%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FFONT%3E%2C%20we%20can%20see%20the%20events%20%3CSTRONG%3E411%3C%2FSTRONG%3E%20on%20the%20ADFS%20Servers%2C%20and%20the%20events%20%3CSTRONG%3E4771%3C%2FSTRONG%3E%20on%20the%20DCs%20of%20the%20%3CSTRONG%3EFabrikam%20Forests%3C%2FSTRONG%3E%2C%20all%20these%20events%2C%20show%20us%20that%20in%20the%20same%20second%20%3CSTRONG%3E12%3A04%3A%3CSPAN%3E55%3C%2FSPAN%3E%2C%20%3C%2FSTRONG%3Ewe%20have%20received%3CSTRONG%3E%206%20authentication%20requests%20%3C%2FSTRONG%3Efor%20the%3CSTRONG%3E%20User01%3C%2FSTRONG%3E%20that%20have%20caused%20the%20account%20Lockout.%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3EThe%20last%20row%20indicated%20by%20the%20%3CFONT%20color%3D%22%23ff0000%22%3E%3CSPAN%3E%3CSTRONG%3Ered%20rectangle%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FFONT%3E%2C%20indicating%20the%20event%20%3CSTRONG%3E516%20%3C%2FSTRONG%3Eon%20the%20ADFS%20Server%2C%20show%20that%20the%20account%20%3CSTRONG%3EUser01%3C%2FSTRONG%3E%20was%20locked%20out.%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3ENOTE%3C%2FSTRONG%3E%3A%20%3C%2FSPAN%3Ehas%20you%20can%20see%20in%20the%20yellow%20part%2C%20we%20have%20exactly%20%3CSTRONG%3E6%20events%20411%3C%2FSTRONG%3E%20for%20the%20ADFS%20Servers%2C%20but%20we%20have%20%3CSTRONG%3E8%20events%204771%3C%2FSTRONG%3E%20on%20the%20DCs%2C%20and%20the%20question%20is%E2%80%A6%E2%80%A6%E2%80%A6.%20WHY%3F%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3ETo%20understand%20why%2C%20you%20need%20to%20read%20%22%3CA%20title%3D%22How%20the%20Domain%20Controllers%20Verify%20the%20Passwords%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2003%2Fcc780271(v%253dws.10)%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3EHow%20the%20Domain%20Controllers%20Verify%20the%20Passwords%3C%2FSTRONG%3E%3C%2FA%3E%3CSTRONG%3E%22%3C%2FSTRONG%3E%3A%3CSPAN%3E%3CBR%20%2F%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%3CIMG%20alt%3D%22%22%20src%3D%22https%3A%2F%2Fmsdnshared.blob.core.windows.net%2Fmedia%2F2018%2F08%2F082118_0940_EveniftheEx2.png%22%20border%3D%220%22%20%2F%3E%3CSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EIn%20short%3C%2FSTRONG%3E%3A%20the%20authentication%20from%20the%20Contoso%20ADFS%20forest%20to%20the%20Fabrikam%20logon%20forest%2C%20sometime%20are%20directly%20done%20by%20the%20PDC%2C%20but%20sometime%20other%20DCs%20in%20the%20Fabrikam%20forest%20authenticate%20the%20User01%2C%20in%20this%20case%20the%20DC%20forward%20the%20Authentication%20to%20the%20PDC%20%2C%20because%20it%20is%20a%20badpwd%20logon%20attempt%2C%20this%20cause%201%20more%204771%20event.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETrick%3A%20%3C%2FSTRONG%3Ecount%20the%20number%20of%20411%20events%20on%20the%20ADFS%20infrastructure%2C%20for%20a%20specific%20user%2C%20if%20you%20want%20to%20verify%20that%20you%20received%20more%20authentication%20attempt%20than%20the%20%22%3CSPAN%3E%3CSTRONG%3EAccount%20lockout%20threshold%3C%2FSTRONG%3E%3C%2FSPAN%3E%22.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3ECONCLUSION%3A%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ESo%2C%20we%20have%20verified%20that%2C%20during%20a%20brute%20force%20attack%2C%20if%20you%20have%20a%20low%20difference%20between%20the%20%22%3CSPAN%3E%3CSTRONG%3EExtranetLockoutThreshold%22%3C%2FSTRONG%3E%20and%20the%20%22%3CSTRONG%3EAccount%20lockout%20threshold%22%3C%2FSTRONG%3E%20on%20the%20Domain%20Controllers%3C%2FSPAN%3E%2C%20you%20can%20have%20some%20accounts%20that%20will%20go%20in%20Locked-out.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20due%20to%20the%20time%20necessary%20from%20the%20%3CSTRONG%3EDCs%3C%2FSTRONG%3E%20in%20the%20%3CSTRONG%3EFABRIKAM%3C%2FSTRONG%3E%20forest%20to%20send%20back%20the%20info%20(%3CSTRONG%3Ebadpwdcount%3C%2FSTRONG%3E)%20to%20the%20ADFS%20Servers%20in%20the%20%3CSTRONG%3ECONTOSO%3C%2FSTRONG%3E%20forest%2C%20usually%20in%20milliseconds%2C%20but%20in%20those%20milliseconds%2C%20we%20can%20receive%20other%20authentication%20requests%20that%20will%20lock%20the%20accounts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EMITIGATION%3A%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ETo%20mitigate%20this%20behavior%2C%20you%20can%20increase%20the%20%22%3CSPAN%3E%3CSTRONG%3EAccount%20lockout%20threshold%22%20%3C%2FSTRONG%3Eon%20the%20DCs%20%3C%2FSPAN%3E%3CSPAN%3Eto%20a%20more%20bigger%20value.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CBR%20%2F%3EFor%20your%20enterprise%20a%20good%20value%20is%20%3CSTRONG%3E50%3C%2FSTRONG%3E%2C%20but%20it%20is%20also%20better%20to%20increase%20the%20%22%3C%2FSPAN%3E%3CSPAN%3E%3CSTRONG%3EAccount%20lockout%20duration%22%20%3C%2FSTRONG%3Eto%20%3CSTRONG%3E15%20min%20or%20more%3C%2FSTRONG%3E.%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EOfficial%20reference%3A%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CSTRONG%3E%3CA%20title%3D%22Account%20lockout%20threshold%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Faccount-lockout-threshold%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAccount%20lockout%20threshold%3C%2FA%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CSTRONG%3E%3CA%20title%3D%22Account%20lockout%20duration%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fsecurity-policy-settings%2Faccount-lockout-duration%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CFONT%20color%3D%22%23000000%22%3EAccount%20lockout%20duration%3C%2FFONT%3E%3C%2FA%3E%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EFINAL%20SOLUTION%3A%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIf%20you%20want%20to%20say%20%3CSTRONG%3E%22BYE%20BYE%22%3C%2FSTRONG%3E%20to%20the%20brute%20force%20attacks%2C%20you%20can%20implement%20%3CSTRONG%3EAzure%20MFA%20%3C%2FSTRONG%3E(Multi%20Factor%20Authentication).%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3EIf%20your%20ADFS%20Farm%20is%202012R2%20you%20can%20easily%20migrate%20to%202016%20and%20then%20implement%20the%20MFA.%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3E%3CSTRONG%3EOfficial%20reference%3A%3CBR%20%2F%3E%3C%2FSTRONG%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20title%3D%22Moving%20from%20a%20Windows%20Server%202012%20R2%20AD%20FS%20farm%20to%20a%20Windows%20Server%202016%20AD%20FS%20farm%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Fdeployment%2Fupgrading-to-ad-fs-in-windows-server%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3EMoving%20from%20a%20Windows%20Server%202012%20R2%20AD%20FS%20farm%20to%20a%20Windows%20Server%202016%20AD%20FS%20farm%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3E%3CA%20title%3D%22How-to%20Configure%20AD%20FS%202016%20and%20Azure%20MFA%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfigure-ad-fs-and-azure-mfa%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3EHow-To%20Configure%20AD%20FS%202016%20and%20Azure%20MFA%3C%2FSTRONG%3E%3C%2FA%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3C%2FARTICLE%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CDIV%20class%3D%22site%20container-fluid%22%20id%3D%22page%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-356551%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EThis%20time%20I%20was%20involved%20in%20a%20root%20cause%20analysis%20on%20a%20customer%20site%20after%20a%20brute%20force%20attack%20vs%20some%20ADFS%20endpoints.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-356551%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-364127%22%20slang%3D%22en-US%22%3ERe%3A%20Tough%20Questions%20Answered%3A%20Addressing%20Account%20Lockout%20via%20Adjusting%20Lockout%20Threshold%20in%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-364127%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F280076%22%20target%3D%22_blank%22%3E%40JoelJuma%3C%2FA%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%2C%3C%2FP%3E%0A%3CP%3Eyou%20need%20to%20know%20that%20this%20endpoint%20is%20disabled%20by%20default%20on%20%3CSTRONG%3EADFS%202016%3C%2FSTRONG%3E%2C%20also%20normally%20the%20ADFS%20ask%20to%20users%20Loging%20and%20password%20and%20only%20after%20that%20require%20the%20MFA%20(if%20configured)%2C%20but%20on%20ADFS%202016%2C%20if%20I%20remember%20well%2C%20you%20can%20configure%20the%20MFA%20as%20a%20primary%2C%20before%20Login%2FPassword.%3C%2FP%3E%0A%3CP%3EFor%20ADFS%202016%20is%20strongly%20recommended%20to%20enable%20also%20the%20ESL%20(%3CA%20title%3D%22ESL%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfigure-ad-fs-extranet-smart-lockout-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EExtranet%20%3CSTRONG%3ESmart%3C%2FSTRONG%3E%20Lookout%3C%2FA%3E)%2C%20unfortunately%20the%202012R2%20have%20only%20the%20%22Extranet%20%3CSTRONG%3ESoft%3C%2FSTRONG%3E%20Lookout%22.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-361110%22%20slang%3D%22en-US%22%3ERe%3A%20Tough%20Questions%20Answered%3A%20Addressing%20Account%20Lockout%20via%20Adjusting%20Lockout%20Threshold%20in%20ADFS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-361110%22%20slang%3D%22en-US%22%3E%3CP%3EVery%20interesting%20article%20there%2C%20I%20got%20one%20quick%20question%20though.%20How%20do%20you%20enable%20MFA%20on%20%3CA%20href%3D%22https%3A%2F%2Fsts.xxx.xxx%2Fadfs%2Fls%2Fldpinitiatedsignon.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsts.xxx.xxx%2Fadfs%2Fls%2Fldpinitiatedsignon.aspx%3C%2FA%3E%20page%20because%20any%20attacker%20can%20come%20through%20that%20page.%3C%2FP%3E%3C%2FLINGO-BODY%3E
 
2 Comments
Established Member

Very interesting article there, I got one quick question though. How do you enable MFA on https://sts.xxx.xxx/adfs/ls/ldpinitiatedsignon.aspx page because any attacker can come through that page.

 

Hi @JoelJuma ,

you need to know that this endpoint is disabled by default on ADFS 2016, also normally the ADFS ask to users Loging and password and only after that require the MFA (if configured), but on ADFS 2016, if I remember well, you can configure the MFA as a primary, before Login/Password.

For ADFS 2016 is strongly recommended to enable also the ESL (Extranet Smart Lookout), unfortunately the 2012R2 have only the "Extranet Soft Lookout".