Category: Active Directory


How to:

before to configure ADFS smart lockout, remove your account from GAD protected users group, else you can get access denied

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection

 

Primary Domain Controller Requirement

AD FS 2016 offers a parameter that allows fallback to another domain controller when the PDC is unavailable.

  • ExtranetLockoutRequirePDC <Boolean> When enabled, extranet lockout requires a primary domain controller (PDC). When disabled, extranet lockout will fallback to another domain controller in case the PDC is unavailable.The following example shows the cmdlet to enable lockout with the PDC requirement disabled:
    Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 8 -ExtranetObservationWindow (new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false

PS C:\WINDOWS\system32> get-adfsproperties | select *extra*

ExtranetLockoutThreshold  : 8
ExtranetLockoutMode       : ADPasswordCounter
ExtranetLockoutEnabled    : True
ExtranetObservationWindow : 00:30:00
ExtranetLockoutRequirePDC : True

PS C:\WINDOWS\system32> $cred = Get-Credential

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
PS C:\WINDOWS\system32> Update-AdfsArtifactDatabasePermission -Credential $cred
PS C:\WINDOWS\system32> Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutLogOnly

Confirm
This command will set the extranet lockout mode to AdfsSmartLockout.  Verify all nodes have up to date patches and appropriate database permissions have been assigned by
running Update-AdfsArtifactDatabasePermission.  See https://go.microsoft.com/fwlink/?linkid=864556 for more information.
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is “Y”): Y
WARNING: PS0038: This action requires a restart of the AD FS Windows Service. If you have deployed a federation server farm, restart the service on every server in the farm.
PS C:\WINDOWS\system32> restart-service adfssrv
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to stop…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…
WARNING: Waiting for service ‘Active Directory Federation Services (adfssrv)’ to start…

 

Observing Audit Events

AD FS will write extranet lockout events to the security audit log:

  • When a user is locked out (reaches the lockout threshold for unsuccessful login attempts)
  • When AD FS receives a login attempt for a user who is already in lockout state

While in log only mode, you can check the security audit log for lockout events. For any events found, you can check the user state using the Get-ADFSAccountActivity cmdlet to determine if the lockout occurred from familiar or unfamiliar IP addresses, and to double check the list of familiar IP addresses for that user.

 

Enable enforce mode

Once you have been running in log only mode for sufficient time for AD FS to learn login locations and to observe any lockout activity, and once you are comfortable with the lockout threshold and observation window, smart lockout can be moved to “enforce” mode using the PSH cmdlet below:

PS C:\>Set-AdfsProperties -ExtranetLockoutMode AdfsSmartLockoutEnforce

For the new mode to take effect, restart the AD FS service on all nodes in the farm

PS C:\>Restart-service adfssrv
Advertisements

ADFS 2019

ADFS 2019 what’s new:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/whats-new-active-directory-federation-services-windows-server

ADFS 2019 on Windows server 2019 has just been release recently, but I do not recommend to put in production because you can discover some side effects with AADConnect, Office 365, MFA onprem server service running on the ADFS servers and your current federated-based applications not yet compatible (ie Cisco Webex, Cisco Jabber …)

 

https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d

AD – DCShadow attack

Description of the attack: https://www.dcshadow.com/

 

Detection of the attack:

PowerShell: https://github.com/AlsidOfficial/UncoverDCShadow

ATA Azure ATP detection: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/How-Azure-Advanced-Threat-Protection-detects-the-DCShadow-attack/ba-p/265740

Other articles:

https://blog.stealthbits.com/detecting-dcshadow-with-event-logs/

 

 

 

 

ADFS – export RP and its claims

If you choose not to use the AD FS Rapid Restore Tool, then at a minimum, you should export the “Microsoft Office 365 Identity Platform” relying party trust and any associated custom claim rules you may have added. You can do this via the following PowerShell example

(Get-AdfsRelyingPartyTrust -Name “Microsoft Office 365 Identity Platform”) | Export-CliXML “C:\temp\O365-RelyingPartyTrust.xml”

Implement password hash synchronization:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

 

Migrating from federated authentication (ADFS) to password hash synchronization:

https://github.com/Identity-Deployment-Guides/Identity-Deployment-Guides/blob/master/Authentication/Migrating%20from%20Federated%20Authentication%20to%20Password%20Hash%20Synchronization.docx

 

AAD Connect configuration documenter is a tool to generate documentation of an Azure AD Connect installation. Currently, the documentation is only limited to the Azure AD Connect sync configuration.

The current capabilities of the tool include:

  • Documentation of the complete configuration of Azure AD Connect sync.
  • Documentation of any changes in the configuration of two Azure AD Connect sync servers or changes from a given configuration baseline.
  • Generation of the PowerShell deployment script to migrate the sync rule differences or customisations from one server to another.

https://github.com/Microsoft/AADConnectConfigDocumenter

There are four main options on how you can configure SSO:

 

http://www.interlink.com/blog/entry/active-directory-federation-services-adfs-vs-password-sync

 

ProxyAddress attribute is used by different applications and it can store different type of user addresses (sip, smtp, x500).

If you sync accounts with non-verified domain to O365, those addresses can be replaced with the default onmicrosof.com domain.

Some interesting reading regarding this topic:

ADConnect not Syncing ProxyAccount for email Alias from on Premise AD to Azure AD

https://social.msdn.microsoft.com/Forums/azure/en-US/3226e41c-1db1-4299-9f24-0179e05fac09/adconnect-not-syncing-proxyaccount-for-email-alias-from-on-premise-ad-to-azure-ad-i-am-using?forum=WindowsAzureAD

List of attributes that are synced by the Azure Active Directory Sync Tool

https://social.technet.microsoft.com/wiki/contents/articles/19901.dirsync-list-of-attributes-that-are-synced-by-the-azure-active-directory-sync-tool.aspx

A mail user who has proxy addresses that use non-verified domains isn’t synced in an Exchange hybrid deployment

https://support.microsoft.com/en-us/help/3124148/a-mail-user-who-has-proxy-addresses-that-use-non-verified-domains-isn

Wrong domain address when synchronizing from on premise AD

https://social.msdn.microsoft.com/Forums/azure/en-US/7ddc1885-850d-487f-bf40-a91f1f5d15c8/wrong-domain-address-when-synchronizing-from-on-premise-ad?forum=WindowsAzureAD

Azure AD Connect sync: Attributes synchronized to Azure Active Directory

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized