You invested in Office 365 for you users, but you don’t want to annoy them with prompts where they have to put their usernames and passwords in, certainly as you have domain joined devices. For Office 365 ProPlus License Activation utilizing the SSO capabilities, you either had to put in an ADFS infrastructure or.. available […]
Month: July 2017
Sometimes I get the question; what do you work with.? as in .. which computers.. and to provide an answer: This “oh look at my hardware” post.. or more like “the hardware pissing contest equivalent” on many of the blogs.. In short, I don’t like to buy brand new stuff.. its expensive, it looses value like […]
So, I got a question the other day on using ADFS in combination with some 3rd party applications in a very large AD environment. Basically the problem statement was: “ we don’t want to use UPN and we don’t want to use domain\username. Users should be able to login using either (only) their employeeID or […]
On Monday morning, the office opened, and everyone tried to login to their computers, however no-one seemed to be able to login. The helpdesk was quickly flooded with calls and it seems everyone’s account was locked-out.
It could happen to almost every company that does not have a good policy on lockouts. Hackers try as many usernames and passwords as possible to get in or to deliberately lock everyone out. A Denial of Service attack in a different form.
When you are using Azure Active Directory with a password on-premises, this might become a reality. As many attempts are made on the ADFS server in a Federated architecture, the account in AD itself gets locked out.
But there is a way to avoid that. It is possible to have a pre-emptive lockout on ADFS while the internal AD account is still usable. This means users will not be able to login remotely to ADFS anymore for a period, but they will still be able to logon to their domain joined machines. When configuring this, make sure that the lockout is set to a lower standard than your internal AD policies. For example, if your AD policy states 5 attempts, 10 minute lockout, ensure that the ADFS policy is set to a maximum of 4 attempts.