Extranet Lockout in ADFS 2016–require PDC

You know in ADFS on Windows Server 2012 R2, when you enable the “Extranet Lockout” feature for Web Application Proxies and a user’s password is verified, the PDC emulator for the authoritative domain is contacted, to verify it?

Lu Zhao blogged about this in her blog: https://blogs.msdn.microsoft.com/luzhao1/2015/06/24/demystify-extranet-lockout-feature-in-ad-fs-3-0/

In essence, in order to determine whether to extranet-lockout a user, the badPwdCount attribute for the user is determined – by asking the PDC for the value, as the authoritative source. In case ADFS can’t connect to the PDC (firewalls, routing are in the way), ADFS fails and user authentication is not completed.

Lu promised they are looking at changing that feature, to allow for a “local DC” fallback, in case the PDC isn’t available.

It looks like Microsoft delivered on their promise – at least judging from what we can see in ADFS in Windows Server 2016 TP4. My friend Thomas (http://setspn.blogspot.de/) did some investigations – and it looks like there’s a new property that one can set in ADFS 2016:


Read more »

Modern Access Control Policies for Office 365 Relying Party

So I have been playing with ADFS on Windows Server 2016 TP4, to discover new functionality and features. One of the things I really like is the ability to assign Access Control Policies now – and the Rule Editor behind it. These policies are found in the new “Access Control Policies” node in the AD FS management console.

The idea is that you configure Access Control Policies, that reflect your security requirements, and later assign them to applications. Depending on the security requirements, you would assign the application to one of your Access Control Policies – stricter or less strict, with MFA, without MFA.

When you need to change your security policies and need to touch the Access Control Policy, it will automatically be changed for all applications that have the policy assigned. No need to touch multiple Relying Parties or applications any more.

Microsoft delivers a number of Access Control Policies out of the box:


Read more »

Change in Supportability for WID-based ADFS farms

In case you didn’t notice, Microsoft changed the Supportability statement around ADFS farms that run on a Windows Internal Database (WID) backend.

Previously, WID-based ADFS farms were limited in support for the amount of ADFS servers you could run and the maximum number of Relying Parties you could register.

  • A maximum of 5 ADFS Servers, if you are running more than 10 Relying Parties.
  • A maxiumum of 5 Relying Parties, if you are running more than 5 ADFS servers (max 10).

pretty narrow – and limiting in the way you can build ADFS farms in WID. Microsoft were taking it on the safe side, to ensure you do the right thing and design your critical ADFS farm on SQL – which pretty much endlessly scales, should you need additional capacity.

There is also SQL Server support for additional features, that today cannot be used with WID-based farms:

  • Token Replay Detection
  • SAML Artifact resolution

Now – Microsoft reviewed their supportability statement and tested how far they could go with WID. Apparently, they found WID could be pushed a lot further than initially allowed, while keeping performance and WID replication intact. The new limits for WID-based ADFS farms are:

Read more »

« Previous PageNext Page »