eG Help

Active Directory Federation Services (AD FS) runs on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access-control authorization model to maintain application security and to implement federated identity. Claims-based authentication involves authenticating a user based on a set of claims about that user's identity contained in a trusted token. Such a token is often issued and signed by an entity that is able to authenticate the user by other means, and that is trusted by the entity doing the claims-based authentication.

Where AD FS is used, administrators need to promptly detect authentication failures and quickly troubleshoot such failures, so that users are not denied access to critical systems/applications for far too long. At the same time, administrators should also pay attention to the type of authentication requests that AD FS processes, their status (success or failure) notwithstanding. For instance, a sudden and significant spike in password change requests or U/P (username/password) authentication requests should be viewed suspiciously, regardless of the success/failure of the requests. This is because, malicious virus attacks / hacking attempts often disguise themselves as such requests.

Using the ADFS test, administrators can be promptly notified of failed / suspect authentication attempts. This test monitors the authentication requests serviced by AD FS, and promptly alerts administrators to authentication failures as and when they occur. In the process, the test sheds light on the type of authentication requests that failed often - device authentication requests? extranet U/P requests? U/P requests? federated authentication requests? OAuth requests? SSO authentication requests? The test also turns administrator attention to suspicious activities such as sudden spikes in password change requests or U/P authentication requests, thus allowing administrators enough time to dig deep and figure out if such requests are genuine or not.To promptly notify administrators of failed/suspect authentication attempts, eG Enterprise offers the ADFSTest.

This test monitors the authentication requests serviced by AD FS, and promptly alerts on authentication failures as and when they occur.

Outputs of the test : One set of results for the AD FS server being monitored

Measurement	Description	Measurement Unit	Interpretation
Additional_Auth	Indicates the number of times additional authentications are triggered.	Number	Microsoft and third-party authentication methods can also be configured and enabled in AD FS in Windows Server 2012 R2.Once installed and registered with AD FS, MFA can be enforced as part of the global or per-relying-party authentication policy.
Artifact_Req	Indicates the number of successful RP tokens issued over SAML artifact resolution.	Reads/Sec	SAML artifact resolution is where the relying party (i.e. ADFS presenting the shared application) retrieves a token from a claims provider (i.e. another company's ADFS) on behalf of the client (i.e. the other company's user). A SAML message is transmitted from one entity to another either by value or by reference. A reference to a SAML message is called an artifact. The receiver of an artifact resolves the reference by sending a request directly to the issuer of the artifact, who then responds with the actual message referenced by the artifact.
Certificate_Auth	Indicates the number of successful AD Certificate authentications.	Number
Device_Auth_Fail	Indicates the number of failed device authentications.	Number	Ideally, the value of this measure should be 0 or very low.
Device_Auth	Indicates the number of successful device authentications.	Number
Ext_Auth_Fail	Indicates the number of failed authentications from external MFA providers.	Number	Ideally, the value of this measure should be 0 or very low.
Ext_Auth	Indicates the number of successful authentications from external MFA providers.	Number
Ext_Acc_Lock	Indicates the number of extranet U/P requests rejected due to account lockout.	Number	AD FS provides a security feature called Extranet Lockout. With this feature, AD FS will “stop” authenticating the “malicious” user account from outside for a period of time. In AD FS on Windows Server 2012 R2, we introduced a security feature called Extranet Lockout. With this feature, AD FS will “stop” authenticating the “malicious” user account from outside for a period of time. Extranet lockout provides the following key advantages: It protects your user accounts from brute force attacks where an attacker tries to guess a user's password by continuously sending authentication requests. In this case, AD FS will lock out the malicious user account for extranet access. It protects your user accounts from malicious account lockout where an attacker wants to lock out a user account by sending authentication requests with wrong passwords. In this case, although the user account will be locked out by AD FS for extranet access, the actual user account in AD is not locked out and the user can still access corporate resources within the organization. This is known as a soft lockout. If this measure reports a non-zero value, it could be an early indicator of suspicious login attempts.
Fed_Auth_Fail	Indicates the number of failed federated authentications from partner providers.	Number	Ideally, the value of this measure should be 0 or very low.
Fed_Auth	Indicates the number of successful federated authentications from partner. providers.	Number
Fed_Meta_Req	Indicates the number of Federation Metadata requests.	Number	Federation Metadata contains information about your federation service that is used to create trusts, identify token-signing certificates, and many other things.
OAuth_Authz_Req	Indicates the number of incoming requests to the OAuth Authorization endpoint.	Number	This is a good indicator of the OAuth request load on the AD FS server.
OAuth_Token_Req	Indicates the number of successful RP tokens issued over OAuth protocol.	Number
Passive_Req	Indicates the number of incoming web requests for all passive protocols and web functionality.	Number
Pwd_Fail_Reqs	Indicates the number of failed password change requests from the intranet.	Number	An abnormally high value for this measure may require an investigation, as it could indicate many unsuccessful attempts at hacking a system/application.
Pwd_Success_Req	Indicates the number of successful password change requests from the intranet.	Number	AIf this measure reports an abnormally high value, you may want to scrutinize the requests to figure out if they were authentic or requests made with malicious intent.
SAMLP_Token_Reqs	Indicates the number of successful RP tokens issued over SAML-P protocol.	Number
SSO_Auth_Fail	Indicates the number of failed SSO authentications.	Number	Ideally, the value of this measure should be 0 or very low.
SSO_Auth	Indicates the number of successful SSO authentications.	Number
Token_Req	Indicates the number of successful RP tokens issued across all protocols.	Number
UP_Auth_Fail	Indicates the number of failed AD U/P authentications.	Number	U/P stands for username/password. As by closely monitoring the variations to the value of this measure over time, you can swoop down on password discovery attacks.
UP_Auth	Indicates the number of successful AD U/P authentications.	Number	If this measure reports an abnormally high value, you may want to scrutinize the requests to figure out if they were authentic or requests made with malicious intent.
Wind_Intg_Auth	Indicates the number of successful AD Windows Integrated authentications.	Number	Windows Integrated Authentication (WIA) is used for authentication requests that occur within the organization's internal network (intranet) for any application that uses a browser for its authentication.
WSFED_Token_Reqs	Indicates the number of successful RP tokens issued over WS-Fed protocol.	Number	WS-Fed is a sign-in protocol, which in plain English means that when the application you're trying to gain access to redirects you to the ADFS server, it has to be done in specific way (WS-) for the process to continue. Web Services Federation (WS-Federation or WS-Fed) is part of the larger WS-Security framework and an extension to the functionality of WS-Trust. The features of WS-Federation can be used directly by SOAP applications and web services. WS-Fed is a protocol that can be used to negotiate the issuance of a token. You can use this protocol for your applications (such as a Windows Identity Foundation-based app) and for identity providers (such as Active Directory Federation Services or Azure AppFabric Access Control Service).
WSTrust_Token_Req	Indicates the number of successful RP tokens issued over WS-Trust protocol.	Number	The Web Services Trust Language [WSTrust] is available in AD FS to accommodate SOAP-based applications. WS-Trust is a WS-* specification and OASIS standard that provides extensions to WS-Security, specifically dealing with the issuing, renewing, and validating of security tokens, as well as with ways to establish, assess the presence of, and broker trust relationships between participants in a secure message exchange.