Home

ADFS 3.0 Extranet Lockout - UDP 389

%3CLINGO-SUB%20id%3D%22lingo-sub-15992%22%20slang%3D%22en-US%22%3EADFS%203.0%20Extranet%20Lockout%20-%20UDP%20389%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15992%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20got%20quite%20a%20complex%20setup%2C%20a%20central%20domain%20containing%20ADFS%203.0%20and%20then%20many%20two%20way%20trusts%20to%20other%20domains%20all%20over%20the%20globe%20connected%20either%20by%20site-to-site%20VPN's%20and%20ExpressRoute.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20tryng%20to%20enable%20the%20Extranet%20Lockout%20feature%20and%20before%20I%20do%20this%20I'm%20aware%20that%20I%20need%20to%20be%20able%20to%20query%20the%20remote%20PDC%20on%20port%20389%20UDP%2C%20this%20is%20proving%20a%20nightmare%20in%20terms%20of%20firewall%20access.%20%26nbsp%3BTCP%20is%20usually%20fine%20but%20getting%20UDP%20access%20can%20be%20tricky%20and%20some%20sites%20have%20disabled%20IPv6%20for%20security%20reasons.%20I%20know%20this%20is%20a%20bad%20move%20but%20we%20can%20only%20advice%20them%20unfortuantely.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20what%20can%20I%20do%20about%20this%3F%20%26nbsp%3BCan%20you%20force%20ExtranetLockout%20to%20use%20TCP%3F%20%26nbsp%3BI'm%20aware%20that%20the%20incoming%20version%20of%20ADFS%20has%20some%20changes%20on%20this%20front%20particularly%20about%20not%20needing%20access%20to%20the%20PDC%20but%20is%20there%20anything%20I%20can%20do%20itn%20the%20meantime%20and%20will%20the%20new%20version%20rely%20solely%20on%20TCP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20any%20input%2C%3C%2FP%3E%3CP%3EMatt%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-15992%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-18861%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%203.0%20Extranet%20Lockout%20-%20UDP%20389%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-18861%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20isn't%20going%20to%20be%20possible%2C%20I%20don't%20believe.%20%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fcc223811.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3ELDAP%20Ping%3C%2FA%3E%2C%20specifically%2C%20happens%20over%20UDP%2C%20which%20will%20get%20in%20your%20way.%20It's%20UDP%2C%20so%20if%20security%20are%20paranoid%2C%20surely%20they%20can%20inspect%20the%20packets%20as%20they%20go%20through%20to%20check%20that%20there's%20nothing%20nefarious%20occurring%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Matt Hudson
Occasional Visitor

Hi,

 

We've got quite a complex setup, a central domain containing ADFS 3.0 and then many two way trusts to other domains all over the globe connected either by site-to-site VPN's and ExpressRoute.

 

I am tryng to enable the Extranet Lockout feature and before I do this I'm aware that I need to be able to query the remote PDC on port 389 UDP, this is proving a nightmare in terms of firewall access.  TCP is usually fine but getting UDP access can be tricky and some sites have disabled IPv6 for security reasons. I know this is a bad move but we can only advice them unfortuantely.

 

So, what can I do about this?  Can you force ExtranetLockout to use TCP?  I'm aware that the incoming version of ADFS has some changes on this front particularly about not needing access to the PDC but is there anything I can do itn the meantime and will the new version rely solely on TCP?

 

Thanks for any input,

Matt

1 Reply

This isn't going to be possible, I don't believe. LDAP Ping, specifically, happens over UDP, which will get in your way. It's UDP, so if security are paranoid, surely they can inspect the packets as they go through to check that there's nothing nefarious occurring?

Related Conversations
AD+ADFS+AAD
Taen keren in Azure on
1 Replies
ADFS 4.0 and Office 365 - Internal CA
Enrico Giacomin in Office 365 on
3 Replies
Azure AD Connect and ADFS Firewall ports
Michele Casazza in Azure Active Directory on
2 Replies