One of the things that I keep discussing with customers is whether they should create their ADFS farm with a WID backend or based on SQL server. It appears that from Microsoft’s perspective, reading up on TechNet, SQL is “the proper” thing.

What you usually do is look at the requirements at hand and then see how either database backend can deliver on these requirements. Of course, you’re also looking at future growth and realistic plans of that ADFS farm for the next, say, 12-18 months, and take that into consideration for your decision. Read more »

Extranet Lockout

ADFS in Windows Server 2012 R2 (some call it “ADFS v3″) comes with a number of very cool features – one of them is “Extranet Lockout Protection”:,

The idea behind that is that, if you expose your ADFS to the internet, which makes sense in many scenarios, and you use Web Application Proxy to do so, you want to protect yourself from Denial of Service (DOS) attacks. Clever attackers could try to brute-force logon to your ADFS servers, by simply trying out and testing username and password combinations – or worse, they now how your usernames are constructed and try out a number of passwords for a given username. If you then have Windows Active Directory configured to lock a user account after too many faulty logon attempts, it can happen that the attacker locks an account in Windows AD.

Now that an undesired behavior that Extranet Lockout Protection is trying to prevent. Once enabled, you configure a threshold, much like in the Windows AD Account Lockout Policy in Windows AD, to let ADFS observe these kinds of logons and, before the accounts gets locked out, stop forwarding the logon attempts to Windows AD.

I’ve found that the process of how ADFS determines this is not very well document (yet), and I’ve found myself have a wrong understanding of how this all happens. So to shed some light into this – here’s a little write-up of information I got from the Product Group and testing with a customer of mine.

The threshold for Extranet Lockout Protection should be configured to be lower than the Lockout settings in Windows AD, so ADFS can stop trying to log on before it’s too late.

Read more »

Domain Names to use with Azure Active Directory

I surfed across to the TechNet Forums again to see what they are up to these days and found the Azure AD forum. I haven’t been active in the Forums for quite some time, but finally found some time to post there again.

One of the questions caught me by surprise. I know that all sorts of organizations look into Azure Active Directory now and incorporate it into their cloud strategies. Usually, these organizations have an Windows AD backend that they use to federate with Azure AD – but apparently not all of them.

The question that I’ve found reads similar to this: “Hi, we have created an Azure AD tenant and are actively using it. Now that we’ve purchased some servers that we want to run locally – on-premises – we need an on-premises Active Directory, too.”

Funny enough, they are doing things the other way around than I’d say 98% of organizations out there leveraging the Microsoft cloud. Ultimately, they’re trying to achieve the same thing: manage identities and leverage on-premises infrastructure as well as cloud resources integrated into Azure AD – which likely leads to federation and directory synchronization.

Read more »

Next Page »