Mulrtiple IP地址失败登录尝试 [英] Mulrtiple IP Addresses on failed sign in attempt

问题描述

大家好

我一直在审查我的工作Azure AD租户上的Bad Password Attempts，我在Azure AD Connect Health中看到了很多错误的密码尝试 - AD FS服务刀片

对于其中许多故障，有2个地址（1个在我的LAN外部，另一个是LAN IP - 由于我们的NAT方式，所有这些都是相同的流量）

我的问题是，为单次登录尝试显示2个IP地址的场景是什么？

谢谢

Danny

解决方案

Hello
DannyC_78 ，

Azure AD连接Health for ADFS服务刀片上的日志收集o的见解n-prem ADFS。通常在本地ADFS环境中，您可以拥有多个不同的服务，如MDM，请求在到达ADFS服务器之前通过该服务。因此，在这些情况下，
审计可以包含多个IP。 

例如，请求来自客户端（公共IP） - >> 转到MDM mobileiron进行检查（内部IP） - >来到代理（内部IP） - >来自ADFS。 

如果按照以下文章启用ADFS跟踪，则可以找到活动ID并将其与详细信息关联起来。在事件54中跟踪日志。 

https： //docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging  

< p style ="margin：0in; font-family：Calibri; font-size：11.0pt">

事件54将提供如下的一些细节。以下是示例日志。 

以下请求上下文头文件：

活动ID：00000000-0000-0000-2c05-00800000009d  

X-MS-Client-Application：Microsoft。 Exchange.ActiveSync

X-MS-Client-User-Agent：Apple -iPhone7C2 / 1305.233

client-request-id：00000000-0000- 0000-2c05-00800000009d

X-MS-Endpoint-Absolute-Path ：/ adfs / services / trust / 2005 / usernamemixed

X-MS-Forwarded-Client-IP：192.46.10.51,192.46.10.28,132.245.71.149

X-MS-Proxy：adfsp02

 

   

关注请求上下文头文件：

活动ID：00000000-0000-0000-6015-0080000000b1  

X-MS-Client-Application：Microsoft.Exchange.ActiveSync

X-MS-Client-User-Agent：Apple-iPhone7C2 / 1306.69

client-request-id：00000000-0000-0000-6015-0080000000b1

X-MS-Endpoint-Absolute-Path：/ adfs / services / trust / 2005 / usernamemixed

X-MS-Forwarded-Client-IP：192.46.10.52,40.96.5.149

X-MS-Proxy：adfsp02

在上面你可以看到提到了
X-forwarded-Client-IP ，在这两种情况下，它都有多个IP。附加了IP ADFS代理和ADFS的任何请求都是为了便于故障排除。当您对任何用户的登录
故障进行故障排除时，它就完成了请求跟踪。所以是的，可能会出现这样的情况，具体取决于您可以看到多个IP的基础架构设计的复杂程度关于单点登录尝试的ADFS登录请求。 

你可以去看看这篇文章  https://blogs.technet.microsoft.com/askpfeplat/2015/06/14/adfs-deep-dive-troubleshooting/  
了解一般的任何ADFS监控解决方案需要收集的故障排除和详细信息。 

希望以上内容澄清了您对单个登录请求可以看到多个IP的情况的疑问。如果您对此有任何疑问，请告诉我们。

谢谢。 

Hi All

I've been reviewing Bad Password Attempts on my work Azure AD tenant and I'm seeing a lot of bad password attempts in the Azure AD Connect Health - AD FS Services blade

For many of these failures there are 2 addresses (1 is external to my LAN and the other is a LAN IP - all the same due to the way that we NAT traffic)

My question is, what is the scenario that would show 2 IP addresses for a single sign-in attempt?

Thanks

Danny

解决方案

Hello DannyC_78,

The logs on the Azure AD connect Health for ADFS service blade collect insights form on-prem ADFS . Generally in On-prem ADFS environment you can have multiple different services like MDM through which the request passes before it reached ADFS server. Hence in those scenarios Audit can contain multiple IPs. 

for example , Request comes from client (public IP) -->>  goes to MDM mobileiron for checks (internal IP)--> comes to Proxy(internal IP) --> comes to ADFS. 

If you enable ADFS tracing as per the following article you can find activity ID and correlate it with the details in tracing logs in event 54 . 

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging 

The event 54 would give some details like below. the following is a sample log. 

Following request context headers present :

Activity ID: 00000000-0000-0000-2c05-00800000009d 

X-MS-Client-Application: Microsoft.Exchange.ActiveSync

X-MS-Client-User-Agent: Apple-iPhone7C2/1305.233

client-request-id: 00000000-0000-0000-2c05-00800000009d

X-MS-Endpoint-Absolute-Path: /adfs/services/trust/2005/usernamemixed

X-MS-Forwarded-Client-IP: 192.46.10.51,192.46.10.28,132.245.71.149

X-MS-Proxy: adfsp02

 

  

Following request context headers present :

Activity ID: 00000000-0000-0000-6015-0080000000b1 

X-MS-Client-Application: Microsoft.Exchange.ActiveSync

X-MS-Client-User-Agent: Apple-iPhone7C2/1306.69

client-request-id: 00000000-0000-0000-6015-0080000000b1

X-MS-Endpoint-Absolute-Path: /adfs/services/trust/2005/usernamemixed

X-MS-Forwarded-Client-IP: 192.46.10.52,40.96.5.149

X-MS-Proxy: adfsp02

In the above you can see the X-forwarded-Client-IP is mentioned and in both scenarios , it has multiple IPs . The IPs are appended in any request by ADFS proxy and ADFS for ease of troubleshooting. Its done for request tracing when you are troubleshooting any user's signon failure. so yes there can be scenarios depending on how complex your infrastructure is designed where you could see multiple IPs on ADFS logon request for single sign-in attempt. 

You can go thorugh the article https://blogs.technet.microsoft.com/askpfeplat/2015/06/14/adfs-deep-dive-troubleshooting/ for understanding the troubleshooting and the kind of details what would need to be collected by any ADFS monitoring solution in general. 

Hope the above clarifies your doubts about scenarios where you could see multiple IPs for a single logon request. Let us know in case you have any queries on this. 

Thank you. 

这篇关于Mulrtiple IP地址失败登录尝试的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！