ADFS External Smart Lockout Terminology

1 year ago
Ruian Ding
2 minutes

FamiliarLocation: During an authentication request, ESL checks all presented IPs. These IPs will be a combination of network IP, forwarded IP, etc. If the request is successful, all of the IPs are added to the Account Activity table as “familiar IPs”. If the request has all the IPs present in the “familiar IPs”, the request will be treated as a “Familiar” location — (20 records, FIFO)

UnknownLocation: If a request that comes in has at least one IP not present in the existing “FamiliarLocation” list, then the request will be treated as an “Unknown” location. This is to handle proxying scenarios such as Exchange Online legacy authentication where Exchange Online addresses handle both successful and failed requests.

badPwdCount: A value representing the number of times an incorrect password was submitted and the authentication was unsuccessful. For each user, separate counters are kept for Familiar Locations and Unknown Locations.

UnknownLockout/FamiliarLockout: A Boolean value per user if the user is locked out from accessing from unknown/familar locations. This value is calculated based on the badPwdCount and ExtranetLockoutThreshold.

ExtranetLockoutThreshold: This value determines the maximum number of bad password attempts. When the threshold is reached, ADFS will reject requests from the extranet until the observation window has passed.

ExtranetObservationWindow: This value determines the duration that username and password requests are locked out. When the window has passed, ADFS will start to perform username and password authentication again.

ExtranetLockoutRequirePDC: When enabled, extranet lockout requires a primary domain controller (PDC). When disabled, extranet lockout will fall back to another domain controller in case the PDC is unavailable.

ExtranetLockoutMode: Controls log only vs enforced mode of Extranet Smart Lockout

  • ADPasswordCounter This is the legacy AD FS “extranet soft lockout” mode, which does not differentiate based on location. This is the default value.
  • ADFSSmartLockoutLogOnly: Extranet Smart Lockout is enabled, but AD FS will only write admin and audit events but will not reject authentication requests. This mode is intended to initially be enabled for FamiliarLocation to be populated before ‘ADFSSmartLockoutEnforce’ is enabled.
  • ADFSSmartLockoutEnforce: Full support for blocking authentication requests when thresholds are reached from unknown/familiar locations.

Both IPv4 and IPv6 addresses are supported.