Here are some of the things I have found while setting up Extranet Smart Lockout on ADFS 2016. For the most part everything is very straight forward.
This blog is my notes about configuring this and is not meant to be a replacement for the actual instructions:
Description of the Extranet Smart Lockout feature in Windows Server 2016
This article was originally published on 7/26/2018
Enable ADFS Logging
# This will Add the audit settings to your existing settings
set-AdfsProperties -LogLevel ((Get-AdfsProperties).LogLevel+'SuccessAudits','FailureAudits')
# Or just add all the logging
Set-ADFSProperties -LogLevel Verbose,Errors,Warnings,Information,SuccessAudits,FailureAudits
#validate SuccessAudit and FailureAudits is set
(Get-AdfsProperties).loglevel
#Make Sure the Security Audit Policy is enabled
auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
#validate
auditpol.exe /get /subcategory:"Application Generated"
Enable Extranet Lockout Logging
#it will prompt for an account use an account with ADFS Administrators Rights
Update-AdfsArtifactDatabasePermission
<#Note if WINRM isn't working correctly on the ADFS Farm Nodes, it will display a message very similar to that the patch is missing.#>
#Enable Log Only First and Monitor lockout activity
Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly
![clip_image001[5]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image0015_thumb.png "clip_image001[5]")
#restart the adfs service
restart-service adfss*
![clip_image001[7]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image0017_thumb.png "clip_image001[7]")
#The lockout Threshold is the number of failed password attempts that must occur from a unfamiliar location
#before the account gets locked out from the ADFS Side.
Set-AdfsProperties -ExtranetLockoutThreshold 10
(Get-AdfsProperties).ExtranetLockoutThreshold
![clip_image001[9]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image0019_thumb.png "clip_image001[9]")
#the observation window is the amount of time that must pass before the extranet lockout
#automatically unlocks
Set-AdfsProperties -ExtranetObservationWindow ( new-timespan -minutes 15 )
(get-AdfsProperties).ExtranetObservationWindow
![clip_image001[11]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image00111_thumb.png "clip_image001[11]")
#enable Extranet Lockout
Set-AdfsProperties -EnableExtranetLockout $true
#Validate
get-AdfsProperties | select *lock*,bannediplist | fl
![clip_image001[13]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image00113_thumb.png "clip_image001[13]")
Note: pay attention to the BannedIPList, while troubleshooting an issue where external logons where failing after the update, the second an IP went into the BannedIPList it didn’t seem to matter what the Mode was set to or that it wasn’t enabled.
Test Extranet Smart Lockout
Open web browser of choice and go to adfs’s external IdpInitiatedSignon, may have to update host file to external IP
You may have to enable: How to Enable IdpInitiatedSignon Page In AD FS 2016
Entered bad passwords for a user multiple times
#Check the users ADFS Account Activity
Get-ADFSAccountActivity useremailaddress/upn
Get-ADFSAccountActivity Aedan.Stokes@16lab.chadcolabs.us
#check to see if the users bad password account in AD is increasing
get-aduser samaccountname -properties badPwdCount,lockedout
get-aduser 112571 -properties badPwdCount,lockedout
![clip_image001[15]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image00115_thumb.png "clip_image001[15]")
![clip_image002[5]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image0025_thumb.png "clip_image002[5]")
On the ADFS Server the following events are in the Security Event Log
![clip_image001[17]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image00117_thumb.png "clip_image001[17]")
Event ID 1203
The Federation Service failed to validate a new credential. See XML for failure details.
Activity ID: b71497c7-bb2d-496b-ff1e-0080000000c8
Additional Data
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit">
<AuditType>FreshCredentials</AuditType>
<AuditResult>Failure</AuditResult>
<FailureType>CredentialValidationError</FailureType>
<ErrorCode>N/A</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>http://sts.16lab.chadcolabs.us/adfs/services/trust</RelyingParty>
<ClaimsProvider>N/A</ClaimsProvider>
<UserId>Aedan.Stokes@16lab.chadcolabs.us</UserId>
</Component>
<Component xsi:type="AuthNAuditComponent">
<PrimaryAuth>N/A</PrimaryAuth>
<DeviceAuth>false</DeviceAuth>
<DeviceId>N/A</DeviceId>
<MfaPerformed>false</MfaPerformed>
<MfaMethod>N/A</MfaMethod>
<TokenBindingProvidedId>false</TokenBindingProvidedId>
<TokenBindingReferredId>false</TokenBindingReferredId>
<SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
</Component>
<Component xsi:type="ProtocolAuditComponent">
<OAuthClientId>N/A</OAuthClientId>
<OAuthGrant>N/A</OAuthGrant>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>http://sts.16lab.chadcolabs.us/adfs/services/trust</Server>
<AuthProtocol>SAMLP</AuthProtocol>
<NetworkLocation>Extranet</NetworkLocation>
<IpAddress>10.10.10.25</IpAddress>
<ForwardedIpAddress>10.10.10.25</ForwardedIpAddress>
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>16LAB-WAP1</ProxyServer>
<UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134</UserAgentString>
<Endpoint>/adfs/ls/idpinitiatedsignon</Endpoint>
</Component>
</ContextComponents>
</AuditBase>
*I like that the log calls out the proxy server the user is coming through
Event ID 1201
The Federation Service failed to issue a valid token. See XML for failure details.
Activity ID: b71497c7-bb2d-496b-ff1e-0080000000c8
Additional Data
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
<AuditType>AppToken</AuditType>
<AuditResult>Failure</AuditResult>
<FailureType>GenericError</FailureType>
<ErrorCode>N/A</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>http://sts.16lab.chadcolabs.us/adfs/services/trust</RelyingParty>
<ClaimsProvider>N/A</ClaimsProvider>
<UserId>Aedan.Stokes@16lab.chadcolabs.us</UserId>
</Component>
<Component xsi:type="AuthNAuditComponent">
<PrimaryAuth>N/A</PrimaryAuth>
<DeviceAuth>false</DeviceAuth>
<DeviceId>N/A</DeviceId>
<MfaPerformed>false</MfaPerformed>
<MfaMethod>N/A</MfaMethod>
<TokenBindingProvidedId>false</TokenBindingProvidedId>
<TokenBindingReferredId>false</TokenBindingReferredId>
<SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
</Component>
<Component xsi:type="ProtocolAuditComponent">
<OAuthClientId>N/A</OAuthClientId>
<OAuthGrant>N/A</OAuthGrant>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>http://sts.16lab.chadcolabs.us/adfs/services/trust</Server>
<AuthProtocol>SAMLP</AuthProtocol>
<NetworkLocation>Extranet</NetworkLocation>
<IpAddress>10.10.10.25</IpAddress>
<ForwardedIpAddress>10.10.10.25</ForwardedIpAddress>
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>16LAB-WAP1</ProxyServer>
<UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134</UserAgentString>
<Endpoint>/adfs/ls/idpinitiatedsignon</Endpoint>
</Component>
</ContextComponents>
</AuditBase>
Event ID 4625
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ADMINISTRATOR
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 108.30.90.24
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
*The ip in this event is not the client ip’s
One question I need to get an answer on is what if the IP Address in 1201 or 1203 is the load balancer not the actual client? My initial feeling is the load balancer is not configured to forward the client IP in the header.
Enforce Extranet Smart Lockout
#after you review the logs and feel comfortable enable ADFS Smart Lockout
Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce
#restart adfs service can use -computername and pass each adfs node from the farm
Restart-service adfssrv
#Validate
get-AdfsProperties | select *lock*,bannediplist | fl
![clip_image001[19]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image00119_thumb.png "clip_image001[19]")
![clip_image002[7]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image0027_thumb.png "clip_image002[7]")
First test, will continue with the same user and will enter multiple (20 or so) bad passwords.
Get-ADFSAccountActivity Aedan.Stokes@16lab.chadcolabs.us
get-aduser 112571 -properties badPwdCount,lockedout
*note once it is enforced the User’s Active Directory Account does not increment past the unknown threshold.
Next use a different account and perform a good password logon.
#view the ADFS Account Activity
Get-ADFSAccountActivity Abdiel.Conrad@16lab.chadcolabs.us
#a Familiar IP is listed
![clip_image001[21]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image00121_thumb.png "clip_image001[21]")
Repeat the logon to ADFS with several bad passwords
#view the ADFS Account Activity
Get-ADFSAccountActivity Abdiel.Conrad@16lab.chadcolabs.us
#note the Familiar Lockout is now set to true
get-aduser 225866 -properties badPwdCount,lockedout
![clip_image001[23]](http://msdnshared.blob.core.windows.net/media/2018/07/clip_image00123_thumb.png "clip_image001[23]")
That is all for today. As I was running through the instructions and wasn’t sure what I should be seeing I figured I would share what was experienced. Next Topic will be on Banned IP’s
-Chad