Bewerken

Delen via


AD FS and banned IP addresses

AD FS on Windows Server 2016 introduced Banned IPs as part of the AD FS June 2018 update. This update enables you to configure a set of IP addresses globally in AD FS so that requests coming from those IP addresses are blocked. Requests that have IP addresses in the x-forwarded-for or x-ms-forwarded-client-ip headers are also blocked by AD FS.

Adding banned IPs

To add banned IPs to the global list, use the below PowerShell cmdlet:

PS C:\ >Set-AdfsProperties -AddBannedIps "1.2.3.4", "::3", "1.2.3.4/16"

Allowed formats are as follows:

  • IPv4
  • IPv6
  • CIDR format with IPv4 or v6

There's a limit of 300 entries for banned IP addresses. You can use CIDR or range format to deny a large block of entries with a single entry.

Removing banned IPs

To remove banned IPs from the global list, use the following PowerShell cmdlet:

PS C:\ >Set-AdfsProperties -RemoveBannedIps "1.2.3.4"

Reading banned IPs

To read the current set of banned IP addresses, use the following PowerShell cmdlet:

PS C:\ >Get-AdfsProperties

Example output:

BannedIpList                   : {1.2.3.4, ::3,1.2.3.4/16}

Best practices for securing Active Directory Federation Services

Set-AdfsProperties

AD FS Operations