locked
User being redirected to ADFS Sign in page after MFA and not the desired site RRS feed

  • Question

  • Hi All

    I'm hoping someone could help me with an issue I'm facing.

    We have an Azure MFA server up and running and have installed the adaptor on to our ADFS server. The adaptor was registered and configured successfully. We have a number of relying party trusts with third party apps where we would like to add MFA when accessing outside of the network but facing a redirect issue. 

    Without MFA configured.

    1. Hit URL Externally
    2. Redirected to ADFS sign in Page
    3. Sign in with domain credentials
    4. Successfully access site.

    With MFA option selected (per relying party trust)
    (Azure MFA server selected as the MFA authentication provider)

    1. Hit URL
    2. Redirected to ADFS sign in Page
    3. Sign in with domain credentials
    4. MFA kicks in and rings users phone. User authorises login
    5. Returns back to the ADFS sign in page rather then the desired site. 

    ADFS logs show the user was authenticated but I'm just seeing this loop activity and the user being redirected to our sign in page after MFA. With MFA unticked we are redirected to sign in page but get straight into site after providing credentials. 

    Does anyone have any idea on this?

    Thanks

    Monday, September 17, 2018 12:53 PM

All replies

  • To clarify, could you confirm that the user proofup for MFA is done?
    Does it happens every time even after the user have completed the MFA proofup. Could you share the screenshot of the landing page, did you receive any error message?
    Meanwhile, you may also refer to this article - https://blogs.technet.microsoft.com/markrenoden/2018/06/20/ad-fs-2016-and-azure-mfa-a-few-nuances/

    Monday, September 17, 2018 5:25 PM
  • Monday, September 17, 2018 7:37 PM
  • The MFA is done on the specific relying party trust in ADFS using the MFA server as the MFA authentication provider. 

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-adfs-2012

    It happens everytime when we enable MFA for extranet users for this specific trust. Without MFA enabled we are redirected to sign in page > authenticate > go straight through to third party website. 

    Tuesday, September 18, 2018 8:45 AM
  • Two things: 

    1. Check that your reply URLs are configured properly and whatever's in your app registration matches what's in your config. Also ensure it's directing to the right page. This should already be set up correctly if you are saying that it worked prior to adding MFA, but it's worth verifying that nothing changed.

    2. Adjust the timeout for the call to ensure that the authentication is not timing out during the MFA. This thread offers some workarounds for how to do this. https://social.msdn.microsoft.com/Forums/azure/en-US/34a3ecfd-911a-4d68-ae03-2b71aef135a7/adjusting-timeout-of-mfa-call-from-microsoft-system?forum=WindowsAzureAD

    Can you test with both an MFA-enabled user and an MFA-disabled user and ensure that one logs in and the other doesn't? What do the logs say in the MFA server?

    I have a lab set up with ADFS MFA working successfully but could not reproduce this issue. 


    Wednesday, September 19, 2018 9:12 PM
    Owner
  • Thanks Marilee. Sorry for the delay in response

    The redirect loop only occurs when accessing from the extranet. For example if i turn MFA on for the relying party trust and access the site within our network I am prompted for MFA and pass through successfully to the site. 

    Did you have to specify any claims rules on your relying party trust to allow MFA auth outside of the network?


    Thursday, September 27, 2018 3:40 PM