HauKitWong-1160 avatar image
0 Votes"
HauKitWong-1160 asked HauKitWong-1160 commented

Deny Administrators Login to the ADFS page

Is it possible to deny Administrators Login ADFS because I do not want anyone outside the network to guess the Administrators' password of my domain instead of Access Control Policy? (Because I found that only denies the users cannot sign on to another application instead of denying the users to login to the ADFS) Thanks for your help!

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Which "administrators" do you refer to?

Note that permissions and privileges are evaluated after a successful logon. So preventing a user from accessing the server will not prevent attackers from locking out the account (in case that is also a concern of yours).

0 Votes 0 ·

What I mean "administrators" is the administrators in local Active Directory Domain. I don't want someone to guess the passwords for those administrator accounts by attempt login to ADFS portal, thanks for your help!

0 Votes 0 ·

What version of ADFS are you using? Do you use a WAP server? There are possible tricks to prevent a user from using ADFS under special circumstances.

0 Votes 0 ·

Thanks for your reply, I am using ADFS 4.0 (Windows Server 2016) and I will deploy WAP later. Thanks!

0 Votes 0 ·

1 Answer

piaudonn avatar image
0 Votes"
piaudonn answered HauKitWong-1160 commented

Yes you can do this. It is a bit tricky. You can prevent users from even trying to authenticate but only through the WAP. Which shouldn't be am issue as you aren't supposed to expose your ADFS to the Internet without a WAP anyways.

So when you enable the Extranet Lockout Protection, whether it is the 2012 R2 way or the 2016 way, the first thing the ADFS service account will do is look up the user in AD. If that call fails, the password provided at the time is not even tried. Preventing brute-force, password sprays and other guessing attempts (well also preventing even legit attempts from this user).

So if you can add a specific ACE on the users account you want to make invisible for ADFS. Something like this:


Then ADFS will have no clue the user exist and will fail right away. You can see the following error message in the debug logs:

 ADNameTranslator.NameTranslateWithReferral: unable to resolve name v\jo , result code DS_NAME_ERROR_NOT_FOUND
 ActiveDirectoryAccountStore - Name v\jo could not be translated to DN.  Account is likley non-existent.
 MsisLocalCpUserNameSecurityTokenHandler::UpdateAuthenticationContext: Identity v\jo Failed with exception: Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: MSIS8022: Unable to find the specified user account.

But administrative accounts are usually protected by the adminSDHolder. Any additional ACEs will be remove within the hour unless you also add this ACE in the adminSDHolder container security descriptor. So you will be impacting all protected accounts and might have some undesirable side effects if some of your regular accounts also are privileged (which should not happened anyways, but who knows). You can try to evaluate the impact of adding the deny ACE aforementioned on the adminSDHolder object by running this command:

 Get-ADUser -LDAPFilter "(&(objectClass=user)(objectCategory=person)(adminCount=1))"

This will give you the list of all currently protected user accounts in your domain.

jo.jpg (57.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for giving the good solution!

0 Votes 0 ·