locked
Multi-Factor Portal Error Message "Error connecting to the local Multi-Factor Authentication service." RRS feed

  • Question

  • When accessing portal https://mfa.site.com/MultiFactorAuth/ I receive the following error

    Multi-Factor Authentication User Portal is configured to communicate with the Web Service SDK which returned the following error:

    Error connecting to the local Multi-Factor Authentication service.

    My configuration is, Portal Server located in the DMZ and SDK server located on local network behind a firewall. All communication is secured with SSL certificates. 

    When I test from the portal server using pfwssdk_test.exe I receive the following messages

    When I do "TestSecurity" I receive the message "secure"
    When I do "TestMasterConnection" I receive the message "Error connecting to the master Multi-Factor Authentication service."
    When I do "PrimaryAuthUser" I receive the message "Error connecting to the local Multi-Factor Authentication service."

    In my log file MultiFactorAuthSvc.log on the SDK server. wherever I receive the error message 

    Multi-Factor Authentication User Portal is configured to communicate with the Web Service SDK which returned the following error:

    Error connecting to the local Multi-Factor Authentication service.


    This is logged. "rpcIfCallback,rpcServer|ifc=80ee1ff2-b056-45f6-8c0f-c141a7e62c95, context=0x0000006BA61C3E10" to that log file. 

    Monday, December 4, 2017 10:27 PM

Answers

  • When the User Portal or Mobile App Web Service get that error message, it is usually due to one of two reasons:

    1. The web service isn't reachable from the web server.

    2. The credentials you have put into the web.config file are not members of the PhoneFactor Admins group in AD. If that identity is not a member of that special security group, then the connection to the Web Service SDK and MFA service aren't allowed.

    Thursday, December 7, 2017 8:06 PM

All replies

  • Suggest you to refer this documentation on Enable mobile app authentication with Azure Multi-Factor Authentication Server - https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice
    Web services SDK must be installed on same server as MFA server.
    -------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.  
    • Proposed as answer by vijisankar Thursday, December 7, 2017 7:58 PM
    Thursday, December 7, 2017 7:58 PM
  • When the User Portal or Mobile App Web Service get that error message, it is usually due to one of two reasons:

    1. The web service isn't reachable from the web server.

    2. The credentials you have put into the web.config file are not members of the PhoneFactor Admins group in AD. If that identity is not a member of that special security group, then the connection to the Web Service SDK and MFA service aren't allowed.

    Thursday, December 7, 2017 8:06 PM
  • Adding the user to the PhoneFactor Admins group corrected my issue. Thanks. 
    Thursday, December 7, 2017 8:31 PM
  • We are glad to know that.
    Friday, December 8, 2017 8:21 PM
  • I had the same issue. However none of the suggestions worked

    I had Event 1309 (ASP.NET 4.0.30319.0) in Application Log stating  'Could not create SSL/TLS secure Channel'. However when I enabled Schannel verbose logging (https://blogs.technet.microsoft.com/kevinjustin/2017/11/08/schannel-event-logging/) - no errors were logged

    Eventually I fired up ProcMon were I could see that Process 'lsass.exe' got 'ACCESS DENIED' in path C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ impersonating the Domain\PFUP_<%Computername%> account (Which is the Application Pool Account and member of PhoneFactor Admins). I gave the account read perission on the 'folder, subfolders and files' and the user portal worked correctly.

    Hope this helps somebody :-)


    Tuesday, July 24, 2018 6:54 AM
  • @Jan C. Andersen Thanks for updating the forum with the solution that worked for you, which might help other community members.
    Wednesday, July 25, 2018 7:40 PM