{"id":818,"date":"2023-08-04T15:30:55","date_gmt":"2023-08-04T07:30:55","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=818"},"modified":"2023-08-31T01:49:05","modified_gmt":"2023-08-30T17:49:05","slug":"adfs-external-smart-lockout-terminology","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/adfs-external-smart-lockout-terminology\/","title":{"rendered":"ADFS External Smart Lockout Terminology"},"content":{"rendered":"\n

FamiliarLocation:<\/strong> During an authentication request, ESL checks all presented IPs.<\/strong> These IPs will be a combination of network IP, forwarded IP, etc.<\/strong> If the request is successful, all of the IPs are added to the Account Activity table as \u201cfamiliar IPs\u201d. If the request has all the IPs present in the \u201cfamiliar IPs\u201d, the request will be treated as a \u201cFamiliar\u201d location — (20 records, FIFO)<\/p>\n\n\n\n

UnknownLocation:<\/strong> If a request that comes in has at least one IP not present in the existing \u201cFamiliarLocation\u201d list,<\/strong> then the request will be treated as an \u201cUnknown\u201d location. This is to handle proxying scenarios such as Exchange Online legacy authentication where Exchange Online addresses handle both successful and failed requests.<\/p>\n\n\n\n

badPwdCount:<\/strong> A value representing the number of times an incorrect password was submitted and the authentication was unsuccessful. For each user, separate counters are kept for Familiar Locations and Unknown Locations.<\/strong><\/p>\n\n\n\n

UnknownLockout\/FamiliarLockout:<\/strong> A Boolean value per user if the user is locked out from accessing from unknown\/familar locations. This value is calculated based on the badPwdCount and ExtranetLockoutThreshold.<\/p>\n\n\n\n

ExtranetLockoutThreshold:<\/strong> This value determines the maximum number of bad password attempts. When the threshold is reached, ADFS will reject requests from the extranet until the observation window has passed.<\/p>\n\n\n\n

ExtranetObservationWindow:<\/strong> This value determines the duration that username and password requests are locked out. When the window has passed, ADFS will start to perform username and password authentication again.<\/p>\n\n\n\n

ExtranetLockoutRequirePDC:<\/strong> When enabled, extranet lockout requires a primary domain controller (PDC). When disabled, extranet lockout will fall back to another domain controller in case the PDC is unavailable.<\/p>\n\n\n\n

ExtranetLockoutMode<\/strong>: Controls log only vs enforced mode of Extranet Smart Lockout<\/p>\n\n\n\n