ADFS 3.0 Extranet Lockout - UDP 389

%3CLINGO-SUB%20id%3D%22lingo-sub-15992%22%20slang%3D%22en-US%22%3EADFS%203.0%20Extranet%20Lockout%20-%20UDP%20389%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-15992%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe've%20got%20quite%20a%20complex%20setup%2C%20a%20central%20domain%20containing%20ADFS%203.0%20and%20then%20many%20two%20way%20trusts%20to%20other%20domains%20all%20over%20the%20globe%20connected%20either%20by%20site-to-site%20VPN's%20and%20ExpressRoute.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20tryng%20to%20enable%20the%20Extranet%20Lockout%20feature%20and%20before%20I%20do%20this%20I'm%20aware%20that%20I%20need%20to%20be%20able%20to%20query%20the%20remote%20PDC%20on%20port%20389%20UDP%2C%20this%20is%20proving%20a%20nightmare%20in%20terms%20of%20firewall%20access.%20%26nbsp%3BTCP%20is%20usually%20fine%20but%20getting%20UDP%20access%20can%20be%20tricky%20and%20some%20sites%20have%20disabled%20IPv6%20for%20security%20reasons.%20I%20know%20this%20is%20a%20bad%20move%20but%20we%20can%20only%20advice%20them%20unfortuantely.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20what%20can%20I%20do%20about%20this%3F%20%26nbsp%3BCan%20you%20force%20ExtranetLockout%20to%20use%20TCP%3F%20%26nbsp%3BI'm%20aware%20that%20the%20incoming%20version%20of%20ADFS%20has%20some%20changes%20on%20this%20front%20particularly%20about%20not%20needing%20access%20to%20the%20PDC%20but%20is%20there%20anything%20I%20can%20do%20itn%20the%20meantime%20and%20will%20the%20new%20version%20rely%20solely%20on%20TCP%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20any%20input%2C%3C%2FP%3E%3CP%3EMatt%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-15992%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-18861%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%203.0%20Extranet%20Lockout%20-%20UDP%20389%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-18861%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20isn't%20going%20to%20be%20possible%2C%20I%20don't%20believe.%20%3CA%20href%3D%22https%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fcc223811.aspx%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ELDAP%20Ping%3C%2FA%3E%2C%20specifically%2C%20happens%20over%20UDP%2C%20which%20will%20get%20in%20your%20way.%20It's%20UDP%2C%20so%20if%20security%20are%20paranoid%2C%20surely%20they%20can%20inspect%20the%20packets%20as%20they%20go%20through%20to%20check%20that%20there's%20nothing%20nefarious%20occurring%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi,

 

We've got quite a complex setup, a central domain containing ADFS 3.0 and then many two way trusts to other domains all over the globe connected either by site-to-site VPN's and ExpressRoute.

 

I am tryng to enable the Extranet Lockout feature and before I do this I'm aware that I need to be able to query the remote PDC on port 389 UDP, this is proving a nightmare in terms of firewall access.  TCP is usually fine but getting UDP access can be tricky and some sites have disabled IPv6 for security reasons. I know this is a bad move but we can only advice them unfortuantely.

 

So, what can I do about this?  Can you force ExtranetLockout to use TCP?  I'm aware that the incoming version of ADFS has some changes on this front particularly about not needing access to the PDC but is there anything I can do itn the meantime and will the new version rely solely on TCP?

 

Thanks for any input,

Matt

1 Reply

This isn't going to be possible, I don't believe. LDAP Ping, specifically, happens over UDP, which will get in your way. It's UDP, so if security are paranoid, surely they can inspect the packets as they go through to check that there's nothing nefarious occurring?