This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 49%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EET%3C/text%3E%3C/svg%3E)
We are using ADFS on Windows Server 2019. External login to O365 will authenticate via this ADFS server instead of Azure AD.
Recently we have been trying on the Extranet Smart Lockout feature.
In order to see how it would work, we have set the lockout mode to enforce.
set the ExtranetLockoutMode to <ADFSSmartLockoutEnforce>
Things seems to work as expected, except for one issue - when a user got locked, we cannot unlock the account via powershell.
Here's the scenario.
PS C:\Users\administrator.contoso> Get-AdfsAccountActivity -Identity ******@contoso.com
Identifier : contoso\Extest01
BadPwdCountFamiliar : 6
BadPwdCountUnknown : 0
LastFailedAuthFamiliar : 12/5/2020 5:18:11 PM
LastFailedAuthUnknown : 12/5/2020 4:51:56 PM
FamiliarLockout : True
UnknownLockout : False
FamiliarIps : {202.xxx.xxx.109}
PS C:\Users\administrator.contoso> Reset-AdfsAccountLockout ******@contoso.com -Location Familiar
PS C:\Users\administrator.contoso> Get-AdfsAccountActivity -Identity ******@contoso.com
Identifier : contoso\Extest01
BadPwdCountFamiliar : 0
BadPwdCountUnknown : 0
LastFailedAuthFamiliar : 12/5/2020 5:18:11 PM
LastFailedAuthUnknown : 12/5/2020 4:51:56 PM
FamiliarLockout : False
UnknownLockout : False
FamiliarIps : {202.xxx.xxx.109}
Please help to see if there is anything missing here. Thanks in advanced.
Additional information.
We have set the ESL via the following powershell:
Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 3 -ExtranetObservationWindow (new-timespan -Minutes 10) -ExtranetLockoutRequirePDC $false
Anyone has an idea?
I do not repro your scenario :(
I set up the same config.
I locked an account which previously succesfully logged in in the past (hence I have a familiar IP):
I confirm I can't log in anymore.
I reset the count:
I can login right away.
Maybe you can enable the debug trace:
And see if that complains about something when you try to log in again.
Thanks for your reply.
I found that recently that in the initial setup, we have skipped this the following step .
Grant read/write permissions to our Administrator over the ADFS artifact database by executing:
Update-AdfsArtifactDatabasePermission
But now that i want to run the cmdlet, it said that it could recognize this cmdlet. Any idea?
No need to go to the community support to find that step :) It is listed in the documentation too: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection#extranet-smart-lockout-configuration
The cmdLet should exist though. Are you sure you are trying it on the right server? Can you do a show-command and see what's in the ADFS module?
I confirmed that the server is one of our ADFS server (we got 2 ADFS server).
Here are the cmdlets available. We are using Windows Server 2019 (Version 1809, Build 17763.1637).
Hi, did anyone got any idea? Thanks!
Hello, I'm reaching within the product team and will come back to you.