Home

Is it possible to implement captcha on ADFS sing-in form page ?

%3CLINGO-SUB%20id%3D%22lingo-sub-96745%22%20slang%3D%22en-US%22%3EIs%20it%20possible%20to%20implement%20captcha%20on%20ADFS%20sing-in%20form%20page%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96745%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20ADFS%20Proxy%20servers%20(Web%20Application%20Proxy%20servers)%20in%20our%20perimeter%20network%20and%20have%20MFA%20configured.%3C%2FP%3E%3CP%3EWe%20also%20have%20configured%20a%20very%20strict%20ADFS%20Extranet%20Account%20Lockout%20policy%20(3%20bad%20passwords%2C%201%20hour%20lockout)%20but%20we%20see%20this%20as%20unsustainable%20for%20bruce%20force%20attack.%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20need%20to%20ensure%20at%20least%20one%20of%20the%20following%20solutions%20are%20available%20for%20ADFS%203.0%20infrastructure.%26nbsp%3B%20Both%20of%20these%20are%20available%20through%20ADFS%202.0%20infrastructure%20since%20the%20login%20pages%20are%20customisable.%26nbsp%3B%20%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EFor%20Extranet%20authentication%2C%20perform%20MFA%20authentication%20first.%26nbsp%3B%20Then%2C%20if%20successful%2C%20perform%20the%20AD%20authentication.%26nbsp%3B%20Ideally%2C%20present%20one%20login%20page%20with%20AD%20and%20MFA%20login%20details%20instead%20of%20presenting%20two%20login%20pages%20for%20the%20users.%3C%2FLI%3E%3CLI%3EAllow%20the%20customising%20of%20the%20ADFS%20login%20page%20to%20add%20CAPTCHA%20authentication.%26nbsp%3B%20Microsoft%20adds%20CAPTCHA%20to%20its%20other%20sites%20so%20it%20shouldn%E2%80%99t%20be%20too%20difficult%20to%20integrate%20this%20to%20the%20ADFS%203.0%20web%20forms%2C%20or%20at%20least%20allow%20us%20to%20use%20the%20reCaptcha%20API%20within%20the%20ADFS%203.0%20infrastructure.%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEither%20way%2C%20the%20work%20flow%20should%20be%20that%2C%20if%20the%20claim%20is%20being%20passed%20through%20a%20Web%20Application%20Proxy%20(ms-proxy)%2C%20then%20present%20MFA%20page%20or%20CAPTCHA%20page%20before%20AD%20authentication%20page...%20or%20present%20them%20all%20in%20the%20first%20page%20but%20authenticate%20AD%20account%20only%20after%20MFA%20and%2For%20CAPTCHA%20is%20authenticated%20successfully.%3C%2FP%3E%3CP%3ECan%20you%20please%20advise%20if%20these%20features%20are%20already%20available%20in%20ADFS%203.0%3F%26nbsp%3B%20Or%20do%20you%20know%20if%20they%20will%20become%20available%20in%20upcoming%20updates%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-96745%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECaptcha%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106924%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20implement%20captcha%20on%20ADFS%20sing-in%20form%20page%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106924%22%20slang%3D%22en-US%22%3E%3CP%3ENote%20that%20ADFS%202016%20supports%20Azure%20MFA%20as%20a%20primary%20factor%20for%20authentication%3A%3C%2FP%3E%0A%3CP%3E-%26nbsp%3BConfigure%20AD%20FS%202016%20and%20Azure%20MFA%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-ca%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfigure-ad-fs-2016-and-azure-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-ca%2Fwindows-server%2Fidentity%2Fad-fs%2Foperations%2Fconfigure-ad-fs-2016-and-azure-mfa%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EADFS%202016%20also%20support%26nbsp%3BWindows%20Hello%20for%20Buisness%20as%20primary%20authentication%20too.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20use%20certificate%20based%20authentication%20as%20a%20primary%20factor%20for%20external%20authentication.%20This%20works%20since%20ADFS%202.0.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-97098%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20implement%20captcha%20on%20ADFS%20sing-in%20form%20page%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-97098%22%20slang%3D%22en-US%22%3E%3CP%3ESetting%20up%20limits%20on%20geographical%20location%20can%20be%20done%20thorugh%20web%20application%20firewall%20like%20Incapsula.%3C%2FP%3E%3CP%3EYou%20can%20check%20%3CA%20href%3D%22https%3A%2F%2Fwww.incapsula.com%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.incapsula.com%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96887%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20implement%20captcha%20on%20ADFS%20sing-in%20form%20page%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96887%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20the%20MFA%20prompt%20was%20before%20the%20auth%20however%2C%20end%20users%20would%20be%20getting%20endless%20prompts%20on%20their%20devices.%20Not%20sure%20that%20is%20a%20alternative%20I%20would%20advocate.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-96871%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20it%20possible%20to%20implement%20captcha%20on%20ADFS%20sing-in%20form%20page%20%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-96871%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20currently%20experiencing%20frequent%20account%20lockouts%20from%20our%20ADFS%20servers.%26nbsp%3B%20We%20have%20tracked%20the%20offending%20authentication%20attemps%20to%20other%20countries.%26nbsp%3B%20We%20have%20tried%20working%20with%20MS%20portal%20support%2C%20but%20did%20not%20get%20any%20where.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20also%20have%20adjusted%20out%20ADFS%20Extranet%20lockout%20settings%20to%20no%20availe.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20too%20are%20wondering%20about%3A%3C%2FP%3E%3COL%3E%3CLI%3EMFA%20first%20for%20external%20authentication%20(having%20it%20second%20still%20allows%20multiple%20bad%20attempts)%3C%2FLI%3E%3CLI%3EPossible%20use%20of%20CAPTCHA%20(or%20something%20similar)%3C%2FLI%3E%3CLI%3ESetting%20some%20kind%20of%20geo-location%20limits%20to%20authentication%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Aslam Kader
New Contributor

We have ADFS Proxy servers (Web Application Proxy servers) in our perimeter network and have MFA configured.

We also have configured a very strict ADFS Extranet Account Lockout policy (3 bad passwords, 1 hour lockout) but we see this as unsustainable for bruce force attack.   

We need to ensure at least one of the following solutions are available for ADFS 3.0 infrastructure.  Both of these are available through ADFS 2.0 infrastructure since the login pages are customisable.     

  1. For Extranet authentication, perform MFA authentication first.  Then, if successful, perform the AD authentication.  Ideally, present one login page with AD and MFA login details instead of presenting two login pages for the users.
  2. Allow the customising of the ADFS login page to add CAPTCHA authentication.  Microsoft adds CAPTCHA to its other sites so it shouldn’t be too difficult to integrate this to the ADFS 3.0 web forms, or at least allow us to use the reCaptcha API within the ADFS 3.0 infrastructure.

 

Either way, the work flow should be that, if the claim is being passed through a Web Application Proxy (ms-proxy), then present MFA page or CAPTCHA page before AD authentication page... or present them all in the first page but authenticate AD account only after MFA and/or CAPTCHA is authenticated successfully.

Can you please advise if these features are already available in ADFS 3.0?  Or do you know if they will become available in upcoming updates?

4 Replies

We are currently experiencing frequent account lockouts from our ADFS servers.  We have tracked the offending authentication attemps to other countries.  We have tried working with MS portal support, but did not get any where.

 

We also have adjusted out ADFS Extranet lockout settings to no availe.

 

We too are wondering about:

  1. MFA first for external authentication (having it second still allows multiple bad attempts)
  2. Possible use of CAPTCHA (or something similar)
  3. Setting some kind of geo-location limits to authentication

 

If the MFA prompt was before the auth however, end users would be getting endless prompts on their devices. Not sure that is a alternative I would advocate.

Setting up limits on geographical location can be done thorugh web application firewall like Incapsula.

You can check https://www.incapsula.com/

Note that ADFS 2016 supports Azure MFA as a primary factor for authentication:

- Configure AD FS 2016 and Azure MFA https://docs.microsoft.com/en-ca/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-a...

ADFS 2016 also support Windows Hello for Buisness as primary authentication too.

 

You can also use certificate based authentication as a primary factor for external authentication. This works since ADFS 2.0.

 

 

Related Conversations
SharePoint Modern Page custom column layouts
Lance Alcabasa in SharePoint on
3 Replies
AD+ADFS+AAD
Taen keren in Azure on
1 Replies
A problem with the Zoom level of a Tab
Tavory in Discussions on
9 Replies
ADFS 4.0 and Office 365 - Internal CA
Enrico Giacomin in Office 365 on
3 Replies