Introduction of ADFS External Smart Lockout

Overview

ADFS Extranet Smart Lockout (ESL) is a security feature that protects your users from getting locked out of their accounts due to malicious activities. It works with AD FS (Active Directory Federation Services) to distinguish between login attempts from familiar locations and those that may be from attackers. With ESL, AD FS can prevent attackers from gaining access while allowing legitimate users to continue using their accounts.

Extranet Smart Lockout feature in Windows Server 2016 – Windows Server | Microsoft Learn

Configure AD FS Extranet Smart Lockout Protection | Microsoft Learn

ESL is available for AD FS on Windows Server 2016 (with June 2018 Windows Updates) and comes built-in with AD FS on Windows Server 2019.

Please note that ESL is specifically designed for username and password authentication requests that come from the extranet using the Web Application Proxy or a third-party proxy. If you’re using a third-party proxy, it must support the MS-ADFSPIP protocol to replace the Web Application Proxy


1. Update AD FS artifact database permissions

Extranet Smart Lockout (ESL) requires granting specific permissions to the AD FS service account so that it can create a new table in the AD FS artifact database. Here’s a step-by-step guide to achieve this:

  1. Log in to any AD FS server as an AD FS admin.
  2. Open a PowerShell Command Prompt window.
  3. Execute the following commands to grant the necessary permissions to the AD FS service account:
$cred = Get-Credential
Update-AdfsArtifactDatabasePermission -Credential $cred

The $cred placeholder should be replaced with the credentials of an account that has AD FS administrator permissions. This account will be used to grant the write permissions required for creating the table.

If your AD FS farm is using SQL Server and the provided credentials lack admin permissions on your SQL server, the above commands may fail to execute successfully.

You can configure the database permissions manually in SQL Server Database by running the following command while connected to the AdfsArtifactStore database:

ALTER AUTHORIZATION ON SCHEMA::[ArtifactStore] TO [db_genevaservice]

Please note that if the ESL policy has never been set up, there will be no ArtifactStore installed. Therefore, we must enable the policy first in order to enable the ArtifactStore table.
Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false

By following these steps, you should grant the necessary permissions to the AD FS service account, allowing Extranet Smart Lockout to function properly and enhance the security of your AD FS environment.


2. AD FS ESL Terminology

See this post: ADFS External Smart Lockout Terminology – Ruian’s Tech Troubleshooting Toolbox (ruianding.com)


3. Manage User Account Activity

AD FS provides three cmdlets to manage account activity data. These cmdlets automatically connect to the master node.

This behavior can be overridden by passing the -Server parameter.

Get-ADFSAccountActivity <UserPrincipalName>

The get command reads the current account activity for a user account. The cmdlet always automatically connects to the farm primary by using the Account Activity REST endpoint. Therefore, all data should always be consistent.

Properties:

  • BadPwdCountFamiliar: Incremented when an authentication is unsuccessful from a known location.
  • BadPwdCountUnknown: Incremented when an authentication is unsuccessful from an unknown location
  • LastFailedAuthFamiliar: If authentication was unsuccessful from a familiar location, LastFailedAuthFamiliar is set to time of unsuccessful authentication
  • LastFailedAuthUnknown: If authentication was unsuccessful from an unknown location, LastFailedAuthUnknown is set to time of unsuccessful authentication
  • FamiliarLockout: Boolean value which will be “True” if the “BadPwdCountFamiliar” > ExtranetLockoutThreshold
  • UnknownLockout: Boolean value which will be “True” if the “BadPwdCountUnknown” > ExtranetLockoutThreshold – FamiliarIPs: maximum of 20 IPs which are familiar for the user. When this is exceeded the oldest IP in the list will be removed.

Set-ADFSAccountActivity

Adds new familiar locations. The familiar IP list has a maximum of 20 entries, if this is exceeded, the oldest IP in the list will be removed.

Set-ADFSAccountActivity user@contoso.com -AdditionalFamiliarIps “1.2.3.4”

Reset-ADFSAccountLockout

Resets the lockout counter for a user account for each Familiar location (badPwdCountFamiliar) or Unfamiliar Location counters (badPwdCountUnfamiliar). By resetting a counter, the “FamiliarLockout” or “UnfamiliarLockout” value will update, as the reset counter will be less than the threshold.

Reset-ADFSAccountLockout user@contoso.com -Location Familiar 
Reset-ADFSAccountLockout user@contoso.com -Location Unknown