ELI5: SMTP Auth with ADFS in Play
Posted by thebotnist@reddit | sysadmin | View on Reddit | 3 comments
I have O365 federated, and auth is happening in ADFS.
User hits O365 resource > redirected to ADFS > Redirected back to O365 resource with the token. I understand this interactive process well enough, but I'm suddenly realizing I have no idea how Basic SMTP Auth work with this setup.
I have a few copiers that are setup for scan to e-mail, and they connect to smtp.office365.com on port 587 with StartTLS (IIRC). I enter a username/password in the copier's config and scans work.
I don't have any connectors setup.
What brought it up is that the scanner account that I'm using is getting locked out. I can't find anything in the DC logs like I would for a normal lockout that is happening from a computer, etc. I'm coming up empty in the ADFS logs too. Which makes me wonder if there's a way to beef up the ADFS logs any. I have a pretty simple ADFS setup; two ADFS servers, and two WAPS in the DMZ.
How does that flow for the copiers to authenticate and send mail different than an interactive login? Sorry if that's a basic question.
SmallBusinessITGuru@reddit
Well, what do the Entra sign in logs show at that time?
Also, is your account lockout less than 10? 10 is the minimum if you're using 365, for this reason.
thebotnist@reddit (OP)
No sign in logs around that time. But that's the thing, if the auth fails at the ADFS step, I don't think it makes it to O365 to show any logs. So I'm guessing my failures will all be logged in ADFS.
It's not getting locked out in 365 though, so I don't think that lockout time comes into play? I just looked at the account lockout settings and they're all null.
SmallBusinessITGuru@reddit
AD account lockout is being triggered? Is it less than 10? That's the lockout I was meaning.
When 365 was first out, a lot of customers used 5 attempts for the base threshold. When we moved them to 365 that started to cause lockouts, was not high enough, so Microsoft recommendation was put out that 10 should be utilized in AD when 365 is authenticating back through ADFS.
I was looking for something related and found this article: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging