ADFS Extranet Lockout

What is Active Directory Federation Services (ADFS) ?

Active Directory Federation Services (ADFS) is a Microsoft software component that provides single sign-on (SSO) capability to users. SSO is the technique of using a single user ID and password, and logging in just once, to access multiple products and applications. ADFS creates an authentication token which contain claims about users' identities, and passes it to different applications across organizational boundaries, enabling seamless logins. ADFS is the technology that makes single sign-on possible.

What is ADFS Extranet Lockout?

ADFS Extranet Lockout is a security feature introduced by Microsoft in Windows Server 2012 R2. This enables ADFS to stop authenticating malicious user accounts from outside the organization's network (extranet) for a specific period of time. This prevents the account from being locked out of the Active Directory, striking a balance between security and productivity.

Advantages of ADFS Extranet Lockout

ADFS Extranet Lockout provides protection against two major attacks.

Brute force attacks - In this type of attack, an attacker attempts to gain access to a user's account by continuously sending authentication requests with different possible passwords. When ADFS receives numerous login requests with bad passwords, it will suspend the suspicious user account for extranet access.
Malicious account lockouts or denial of service - In this type of attack, an attacker attempts to lock out an user by sending numerous authentication requests with wrong passwords. This is where ADFS's soft lockout feature comes handy. In this case, the user's extranet access is disabled but the actual account in Active Directory is not locked out. The user can still access resources from within the organization's intranet.

It is important to note that ADFS Extranet Lockout feature works only for extranet scenarios where authentication requests come through the Web Application Proxy and it is applicable only to username and password authentication.

Simplify ADFS auditing and reporting with ADAudit Plus.

Get Your Free Trial

Fully functional 30-day trial

ADAudit Plus simplifies ADFS Extranet Lockout monitoring by offering predefined ADFS Auditing reports along with intuitive graphical representation of the same for ease of comprehension. ADAudit Plus also provides the option to generate custom reports and export them in your preferred format,PDF, XLS, HTML, and CSV.

Steps to Audit ADFS Extranet Lockout with ADAudit Plus

Once ADAudit Plus is installed, it can automatically configure audit policies required for Active Directory auditing. To enable automatic configuration: Log in to the ADAudit Plus web console → Domain Settings → Audit Policy: Configure.

Extranet lockout events can be monitored by following the steps below:

Login to ADAudit Plus.
Select the required Domain from the dropdown list.
Go to the Reports tab.
Navigate to ADFS Auditing.
Select the Extranet Lockout report.

About ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can also track ADFS logon successes, ADFS logon failures, and Extranet Lockouts with ADAudit Plus. In total, the solution has 200+ reports and real-time alerts to keep your network environment secure. To learn more, visit https://www.manageengine.com/active-directory-audit/