ADFS Custom Primary Authenticator triggers MSIS8022 when user input invalid username

Bill Lam 0 Reputation points

We are developing a custom authenticator for ADFS 2019 and intend to make it work as primary authentication method in Paginated theme.

We found that when user input an invalid upn as username and choose our custom authenticator, an error message "Incorrect user ID or password" will be displayed. This is not desirable as it will allow adversaries to brute force our list of valid usernames.

We tried to set the RequiresIdentity property in the metadata of our authenticator to False. And the result is the same.

In addition, we found that the following error event is logged when user select our authenticator:

Exception details:

Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: MSIS8022: Unable to find the specified user account.

at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.GetUserClaimsIdentity(String identifier)

at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.GetUnauthenticatedSSOToken(ProtocolContext context, String username)

at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Any way to make it work like the out-of-the-box password authenticator? That is, even if user input a wrong username, allow user to continue the challenge, but let the authenticator logic to decide what to do.

Thanks very much!

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,187 questions
0 comments No comments
{count} votes