Extranet Lockout

ADFS in Windows Server 2012 R2 (some call it “ADFS v3″) comes with a number of very cool features – one of them is “Extranet Lockout Protection”: http://blogs.technet.com/b/rmilne/archive/2014/05/05/enabling-adfs-2012-r2-extranet-lockout-protection.aspx, https://technet.microsoft.com/en-us/library/dn486806.aspx.

The idea behind that is that, if you expose your ADFS to the internet, which makes sense in many scenarios, and you use Web Application Proxy to do so, you want to protect yourself from Denial of Service (DOS) attacks. Clever attackers could try to brute-force logon to your ADFS servers, by simply trying out and testing username and password combinations – or worse, they now how your usernames are constructed and try out a number of passwords for a given username. If you then have Windows Active Directory configured to lock a user account after too many faulty logon attempts, it can happen that the attacker locks an account in Windows AD.

Now that an undesired behavior that Extranet Lockout Protection is trying to prevent. Once enabled, you configure a threshold, much like in the Windows AD Account Lockout Policy in Windows AD, to let ADFS observe these kinds of logons and, before the accounts gets locked out, stop forwarding the logon attempts to Windows AD.

I’ve found that the process of how ADFS determines this is not very well document (yet), and I’ve found myself have a wrong understanding of how this all happens. So to shed some light into this – here’s a little write-up of information I got from the Product Group and testing with a customer of mine.

The threshold for Extranet Lockout Protection should be configured to be lower than the Lockout settings in Windows AD, so ADFS can stop trying to log on before it’s too late.

Read more »

Domain Names to use with Azure Active Directory

I surfed across to the TechNet Forums again to see what they are up to these days and found the Azure AD forum. I haven’t been active in the Forums for quite some time, but finally found some time to post there again.

One of the questions caught me by surprise. I know that all sorts of organizations look into Azure Active Directory now and incorporate it into their cloud strategies. Usually, these organizations have an Windows AD backend that they use to federate with Azure AD – but apparently not all of them.

The question that I’ve found reads similar to this: “Hi, we have created an Azure AD tenant and are actively using it. Now that we’ve purchased some servers that we want to run locally – on-premises – we need an on-premises Active Directory, too.”

Funny enough, they are doing things the other way around than I’d say 98% of organizations out there leveraging the Microsoft cloud. Ultimately, they’re trying to achieve the same thing: manage identities and leverage on-premises infrastructure as well as cloud resources integrated into Azure AD – which likely leads to federation and directory synchronization.

Read more »

Now there is support for Windows Server 2012 and WMWare VSphere 5.1

It’ll only say it was about time. Took them 12 months to file the Submission to SVVP:


Next Page »