You are viewing limited content. For full access, please sign in.

Question

Question

Prevent some WebSTS sites from authenticating Windows accounts

Web Client WebLink Forms Directory Server Security
Updated April 10
asked on February 27, 2020 Show version history

I have a customer that needs to force MFA for logins coming from outside the network, but they do not want to use MFA inside their network.  Their outside users will log in with LFDS accounts and can be set to always use MFA because they will not be on the internal network anyway.

When the user goes to the public facing site, they do not have the Windows Authentication button, but they can still manually enter their domain credentials and log in without MFA.  We need a way to force MFA for all logins from certain WebSTS sites or prevent AD users from logging in through certain WebSTS sites.

0 0

Answer

SELECTED ANSWER
replied on March 2, 2020 Show version history

Hi Bert,

While there is unfortunately no out-of-the-box way to accomplish this at the moment, it's a valid request and the LFDS team has taken note.

For the moment, you could try using JavaScript to enforce validation on the WebSTS login form's username field such that it blocks any input in the form of "domain\username" or "username@domain.com". Have it throw a "The external portal does not support AD logins" message. While that would not stop a determined attacker, it would block internal AD end users from inadvertently logging into the external WebSTS.

1 0
replied on March 4, 2020

Thanks for the workaround suggestion.  We have presented it to the customer and they are considering it.

1 0

Replies

replied on February 27, 2020 Show version history

Along with this, the customer would also like to be able to force MFA on any login (SAML, LFDS, AD) through certain WebSTS (public facing) sites.

1 0
replied on March 5, 2020

A note here for your and your customer's knowledge:
It is not technically possible to have LFDS/STS force MFA on any login type other than LFDS.

WIth federated authentication (AD, AD FS, SAML), LFDS/STS simply pass you to the federated auth provider. You have to handle any MFA policies through the federated auth providers themselves. For example, Azure AD and AD FS have Conditional Access policies where you can require MFA for login attempts originating outside the organization's network.

0 0
replied on May 15, 2024

This code should work just at the beginning of the login function in the html file for STS
 

if (document.getElementById('mfaCheckBox').checked === false) {

            alert("Please Check the checkbox 'I have MFA code' and try again.");

            return;

        }

        if (username.includes('@@') || username.includes('\\')){

            alert("Active Directory Credentials are not valid credentials. Please try again.");

            return;

        }

0 0
replied on April 10 Show version history

Greetings - Has there been any out-of-the-box solution implemented for this issue or is modifying the JavaScript to enforce validation on the WebSTS login still necessary?

0 0
replied on April 10

Still necessary. An out-of-the-box solution is logged as a feature request and something we hope to get to in the relatively near future though.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...