Solved

ADFS 3.0 and CAPTHA

Posted on 2015-02-03
10
479 Views
Last Modified: 2015-03-02
Hello,
Has anyone implemented ADFS with CAPTCHA to
I am looking at http://www.manageengine.com/products/self-service-password/
Thanks for any advice/experience/information.
0
Comment
Question by:IT-NYC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 40

Assisted Solution

by:footech
footech earned 100 total points
ID: 40587245
How does ADFS with CAPTCHA relate to ManageEngine SelfService Plus?
I'm afraid I can't even tell what you're asking.

SelfService Plus runs on a Tomcat server that is included in the product, not IIS.  The CAPTCHA option is just a check box in the settings.
0
 

Author Comment

by:IT-NYC
ID: 40588911
I am looking to implement CAPTCHA as an additional layer of protection for ADFS 3.0. If it is possible to use it within ADFS, third-party tool is preferred, great. I mentioned this particular program because it is AD-aware, so my understanding that it will work well with ADFS, even if it is not designed specifically for ADFS.
0
 
LVL 40

Assisted Solution

by:footech
footech earned 100 total points
ID: 40589454
Maybe you want to add a CAPTCHA to the forms-based login page of ADFS?

Can't advise you on that, but it'd probably be a better question for the IIS topic area, or ASP.

Good luck.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:IT-NYC
ID: 40589506
Thanks!
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 50 total points
ID: 40622913
I have worked with ADFS 2.0 \ 3.0, however never integrated any products to add CAPTCHA in ADFS form based logins

If 3rd party product can be integrated, probably they can provide you the procedure \ code to modify ADFS implementation

Note that ADFS 3.0 do not contains IIS, its removed from ADFS 3.0
0
 
LVL 64

Expert Comment

by:btan
ID: 40623020
there is an example to add the ReCaptcha plugin into the AD FS Proxy Web Authentication Form, though it is not a specific to manageengine services http://myitforum.com/cs2/blogs/forefrontsecurity/archive/2012/02/06/two-factor-authentication-with-adfs-the-recaptcha-customization.aspx
0
 

Author Comment

by:IT-NYC
ID: 40629048
The goal is to make ADFS more secure. For that reason, we are looking at ManageEngine (and a few other options), even though they are not integrated with ADFS, per say, but have a very decent set of security features.
With removal of IIS in ADFS 3.0, how does one go about reporting of, let's say, failed attempts, locked accounts?
Any advice on securing ADFS is appreciated.
Thanks!
0
 
LVL 64

Accepted Solution

by:
btan earned 350 total points
ID: 40629698
Multi-factor Authentication (supported by AD FS) is worth considering as in all attack (besides s/w vulnerability), identity theft is common and single factor stand far too weak to deter determined attack to get into the key asset such as AD FS. Web proxy (with Web app Firewall capable) fronting the AD FS is anothe strategy to prevent direct public facing internet accessible entry. Block web attacks and attempts to tunnel in thru those potential vulnerability due to misconfiguration.

You probably also have used Security Configuration Wizard (SCW) to reduce the attack surface for a server, based on the server roles required only. Token is a key entity to be secure so ensure token replay detection is enabled (by default it is) and also enforce token encryption with use of certificate for your relying parties trust (though it will then call for some PKI implementation), this is to mitigate and prevent against potential man-in-the-middle (MITM) attacks. Consider event logging and trace logging and have them protected by access control lists (ACL) so as to limit access to only those trusted administrators.

another form of auth - https://www.duosecurity.com/docs/adfs-30
More info - https://technet.microsoft.com/en-us/library/ff630160.aspx
0
 

Author Comment

by:IT-NYC
ID: 40631728
Thanks, I will review and get back to you.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question