Microsoft Security | Active Directory Federation Services
Federated identity management using Active Directory Federation Services
Anyone has an idea?
ADFS Extranet Smart Lockout - Users cannot be unlocked with powershell
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 49%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EET%3C/text%3E%3C/svg%3E)
Ellis Tsui
1
Reputation point
We are using ADFS on Windows Server 2019. External login to O365 will authenticate via this ADFS server instead of Azure AD.
Recently we have been trying on the Extranet Smart Lockout feature.
In order to see how it would work, we have set the lockout mode to enforce.
set the ExtranetLockoutMode to <ADFSSmartLockoutEnforce>
Things seems to work as expected, except for one issue - when a user got locked, we cannot unlock the account via powershell.
Here's the scenario.
- We intentionally logging in an account with false password to trigger a lockout.
PS C:\Users\administrator.contoso> Get-AdfsAccountActivity -Identity ******@contoso.com Identifier : contoso\Extest01 BadPwdCountFamiliar : 6 BadPwdCountUnknown : 0 LastFailedAuthFamiliar : 12/5/2020 5:18:11 PM LastFailedAuthUnknown : 12/5/2020 4:51:56 PM FamiliarLockout : True UnknownLockout : False FamiliarIps : {202.xxx.xxx.109} - Then we try to unlock it by the following script. (As it is a FamiliarLockout, we added the parameter -Location Familiar)
PS C:\Users\administrator.contoso> Reset-AdfsAccountLockout ******@contoso.com -Location Familiar - It is verified that the account has been unlocked using powershell.
PS C:\Users\administrator.contoso> Get-AdfsAccountActivity -Identity ******@contoso.com Identifier : contoso\Extest01 BadPwdCountFamiliar : 0 BadPwdCountUnknown : 0 LastFailedAuthFamiliar : 12/5/2020 5:18:11 PM LastFailedAuthUnknown : 12/5/2020 4:51:56 PM FamiliarLockout : False UnknownLockout : False FamiliarIps : {202.xxx.xxx.109} - However, we try logging in again with the correct password, it is still not able to login.
- We also tried logging from internal network, it worked. So the account is not locked in AD.
Please help to see if there is anything missing here. Thanks in advanced.
Additional information.
We have set the ESL via the following powershell:
Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 3 -ExtranetObservationWindow (new-timespan -Minutes 10) -ExtranetLockoutRequirePDC $false
Microsoft Security | Active Directory Federation Services
1 answer
Sort by: Most helpful
-
Ellis Tsui 1 Reputation point
2020-12-11T05:35:03.827+00:00 -
Pierre Audonnet - MSFT 10,206 Reputation points Microsoft Employee Moderator2020-12-15T04:41:22.263+00:00 I do not repro your scenario :(
I set up the same config.
I locked an account which previously succesfully logged in in the past (hence I have a familiar IP):
I confirm I can't log in anymore.
I reset the count:
I can login right away.Maybe you can enable the debug trace:
And see if that complains about something when you try to log in again. -
Ellis Tsui 1 Reputation point
2020-12-15T11:36:48.007+00:00 Thanks for your reply.
I found that recently that in the initial setup, we have skipped this the following step .
Grant read/write permissions to our Administrator over the ADFS artifact database by executing:Update-AdfsArtifactDatabasePermissionBut now that i want to run the cmdlet, it said that it could recognize this cmdlet. Any idea?
-
Pierre Audonnet - MSFT 10,206 Reputation points Microsoft Employee Moderator
2020-12-17T14:27:17.057+00:00 No need to go to the community support to find that step :) It is listed in the documentation too: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection#extranet-smart-lockout-configuration
The cmdLet should exist though. Are you sure you are trying it on the right server? Can you do a show-command and see what's in the ADFS module?
-
Ellis Tsui 1 Reputation point
2020-12-18T04:48:18.553+00:00 I confirmed that the server is one of our ADFS server (we got 2 ADFS server).
Here are the cmdlets available. We are using Windows Server 2019 (Version 1809, Build 17763.1637).
-
-
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator2021-01-01T02:43:52.863+00:00 Hello, I'm reaching within the product team and will come back to you.
Sign in to comment -