Authentications failures with Office 365 / ADFS accounts lockouts and Extranet Lockout protection

Possible causes of O365 authentications failures:

https://blogs.technet.microsoft.com/abizerh/2015/06/01/possible-causes-of-authentications-failures-for-federated-users-in-office-365/

ADFS account lockouts:

https://community.spiceworks.com/topic/673038-continuous-account-lockouts-from-adfs

https://blogs.technet.microsoft.com/pie/2016/02/02/ad-fun-services-track-down-the-source-of-adfs-lockouts/

https://blogs.msdn.microsoft.com/luzhao1/2015/06/24/demystify-extranet-lockout-feature-in-ad-fs-3-0/

AD versus ADFS account lockouts:

The ADFS account lockout feature works independently from AD Lockout policy but you do need to consider a few things when it comes to configuring extranet lockout setting to make sure this feature work as intended

There are three settings regarding lockout policy in AD:

• Account Lockout Threshold: this setting is similar to ExtranetLockoutThreshold setting in AD FS. It determines the number of failed logon attempts that will cause a user account to be locked out. In order to protect your user accounts from malicious account lockout attack, you want to set the value of ExtranetLockoutThreshold in AD FS < Account Lockout Threshold value in AD
• Account Lockout Duration: this setting determines for how long a user account is locked out. This setting does not matter much in this conversation as Extranet Lockout should always happen before AD lockout happens if configured properly
• Reset Account Lockout Counter After: this setting determines how much time must elapse from user’s last logon failure before badPwdCount is reset to 0. In order for Extranet Lockout feature in AD FS to work well with AD lockout policy, you want to make sure the value of ExtranetObservationWindow in AD FS> Reset Account Lockout Counter After value in AD. We will use examples below to explain why.

To change the settings:

Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 5 -ExtranetObservationWindow (new-timespan -Minutes 40) -ExtranetLockoutRequirePDC $false

Align this value with:

azure ad password protection tenant settings => 5

on-prem default domain policy GPO => account lockout threshold must be 8

To check the values:

get-adfsproperties | select *extra*

To enforce smartlockout threshold:

Set-AdfsProperties -ExtranetLockoutMode AdfsSmartlockoutEnforce

Protecting against DDOS and accounts lockouts:

https://blogs.technet.microsoft.com/rmilne/2014/05/05/enabling-adfs-2012-r2-extranet-lockout-protection/

https://blogs.msdn.microsoft.com/luzhao1/2015/06/24/demystify-extranet-lockout-feature-in-ad-fs-3-0/

http://www.frickelsoft.net/blog/?p=322

AD FS Extranet Lockout: a case of the unintended pun

The threshold for Extranet Lockout Protection should be configured to be lower than the Lockout settings in Windows AD, so ADFS can stop trying to log on before it’s too late

Warning: the availability of the PDC is mandatory for WAP (proxy)-based authentications: look this article for more details: https://websetnet.com/fr/adfs-extranet-lockout-pdc-requirement/

ADFS attacks (video): https://www.youtube.com/watch?v=oTyLdAUjw30