Extranet Lockout in ADFS 2016–require PDC

You know in ADFS on Windows Server 2012 R2, when you enable the “Extranet Lockout” feature for Web Application Proxies and a user’s password is verified, the PDC emulator for the authoritative domain is contacted, to verify it?

Lu Zhao blogged about this in her blog: https://blogs.msdn.microsoft.com/luzhao1/2015/06/24/demystify-extranet-lockout-feature-in-ad-fs-3-0/

In essence, in order to determine whether to extranet-lockout a user, the badPwdCount attribute for the user is determined – by asking the PDC for the value, as the authoritative source. In case ADFS can’t connect to the PDC (firewalls, routing are in the way), ADFS fails and user authentication is not completed.

Lu promised they are looking at changing that feature, to allow for a “local DC” fallback, in case the PDC isn’t available.

It looks like Microsoft delivered on their promise – at least judging from what we can see in ADFS in Windows Server 2016 TP4. My friend Thomas (http://setspn.blogspot.de/) did some investigations – and it looks like there’s a new property that one can set in ADFS 2016:


The property determines how ADFS servers will treat authentication requests when Extranet Lockout is enabled.


  • TRUE – require the PDC, if the PDC is unavailable, fail the authentication attempt.
  • FALSE – try the PDC, if the PDC is unavailable, fall back to a local DC

The property can be set with the Set-ADFSProperties CMDlet:

Set-ADFSProperties –ExtranetLockoutRequirePDC $false

You will need a Farm Behavior Level of “Threshold” (Windows Server 2016), to enable the setting. If you try setting the property before updating the Farm Behavior Level raise, you will be presented with an error message:


It makes sense to implement the feature like this. After all, you want all ADFS servers behave identically when the property is changed.

No Comment