ADFS - Reject claim of expired user

Luís Costa 206 Reputation points
2022-05-03T15:37:08.977+00:00

Hello,

I came across a scenario where there is a 3rd party Claim Provider Trust configured in ADFS.
The issue is that ADFS is not checking if the user account is expired in AD.
Any idea on how to this?

Thanks for the help

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,220 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee
    2022-05-05T17:23:28.753+00:00

    You could query the accountExpires attribute in AD, but the format is NTTE (NT system time, in (10^-7)s intervals from 0h 1-Jan 1601) and can't be parsed easily without using a custom attribute store. There's no easy way to do that, because quite frankly the authentication should have failed.

    Which brings me to the following question: if the user exists in AD, why not using AD as a claim provider and grabbing additional info after auth to where you currently auth the user?