locked
Mobile App Activation Fails RRS feed

  • Question

  • Hi, I am trying to test the MFA Mobile App on my Android phone. Phone based authentication is working fine but the mobile app fails to activate. My server is Windows 2008 R2 SP1 with MFA Server 6.1.1.15297.

    I can log into the User Portal (with phone based authentication), generate an activation code, scan the QR barcode but then the app always returns "Activation failed, Please check the activation code to ensure it is correct. Error details: Server Error"

    The URL in the mobile app is definitely correct. I am using self signed certificates with a CN equal to the URL. I have imported the certificate into the Trusted Root store on the server, my laptop client, and I tried to import it to the android 4.2.2 phone. It says it imported it but then I can't see it in the list. None of this seems to have made any difference.

    The MultiFactorAuthSvc log contains:

    2014-04-01T14:46:24.453125Z|i|1352|3168|pfsvc|Phone App activation code '864598222' generated for user 'Andy.Pattrick'
    2014-04-01T14:46:48.937500Z|e|1352|3168|iisabo|WMI error: -2147217394
    2014-04-01T14:46:49.484375Z|e|1352|3960|credStore|Couldn't read credential identified by 'PfSmtp'. Element not found. (0x00000490 = 1168)

    I googled those errors but came up pretty empty handed

    Does anyone have any ideas? Has anyone got this working on Android using self signed certificates. I only have 19 days left on the trial and I need to establish whether the mobile app will work so I'm keen to get this working.

    Cheers Andy.

    Tuesday, April 1, 2014 3:14 PM

Answers

  • Andy -

    I'm fairly sure that the phone activation will only work with a trusted 3rd party certificate (i.e. Symantec, etc.).  You could try putting the Root CA on your mobile device, but I'm still not sure it will work inside of the phone activation.  I recommend to most of our users to use the mobile phone app for authentication, it is by far the most reliable (and least intrusive) in my opinion.

    • Proposed as answer by Redparadox Wednesday, April 16, 2014 8:10 PM
    • Marked as answer by Andy Pattrick Thursday, April 17, 2014 8:33 AM
    Tuesday, April 8, 2014 11:49 AM

All replies

  • From a browser on my laptop if I call https://myurl.com/mobile/PfPaWs.asmx/TestPfWsSdkConnection then I get success so I think I have the mobile web service and the web service SDK configured correctly but I still cannot activate the app on Android. 

    I suspect that you can't do this using self-signed certificates but it would be nice to hear others experience.

    Cheers Andy.

    Tuesday, April 1, 2014 5:11 PM
  • Andy -

    I'm fairly sure that the phone activation will only work with a trusted 3rd party certificate (i.e. Symantec, etc.).  You could try putting the Root CA on your mobile device, but I'm still not sure it will work inside of the phone activation.  I recommend to most of our users to use the mobile phone app for authentication, it is by far the most reliable (and least intrusive) in my opinion.

    • Proposed as answer by Redparadox Wednesday, April 16, 2014 8:10 PM
    • Marked as answer by Andy Pattrick Thursday, April 17, 2014 8:33 AM
    Tuesday, April 8, 2014 11:49 AM
  • Thanks Redparadox! Yes I believe I found a 'Note' in the help to that effect. I tried installing my self signed cert into my phone trusted root store but it still didn't work. It looks like it really does have to be signed by a recognised CA. That's quite annoying for testing purposes but there you go. It would be better if the app allowed you to accept an unsigned cert just like a browser does.
    Tuesday, April 8, 2014 12:11 PM
  • Has anyone tried a third-party wildcard cert?   My wildcard cert is issued by a commercial CA but I get the same error.

    Also,  if I install the mobile app on a different server,  where are the application (not IIS) logs written?

    Tuesday, September 30, 2014 5:59 PM
  • I found that a commercial CA's wildcard cert works but I also found that the Android app doesn't do SNI.   This can create some issues if you are deploying on Server 2012/IIS 8 or later.
    • Proposed as answer by hukel Thursday, October 2, 2014 4:56 PM
    Thursday, October 2, 2014 4:52 PM
  • Hugh,

    I may be experiencing the same issue you described, Android devices won't connect while using a wildcard cert, on an IIS8 server.

    Did you find a successful workaround/resolution for your situation?

    Monday, January 12, 2015 9:34 PM
  • Do you have multiple SSL sites on the server (and this one isn't the "default" binding)?  If so, it could well be the same issue - lack of SNI support in the Android TLS negotiation.

    This gives a pretty good synopsis.

    http://mobilitydojo.net/2012/08/20/server-name-indication-support-in-mobile-devices/

    Hugh

    Monday, January 12, 2015 10:54 PM
  • Got the same issue and found the solution:

    Issue: MFA activation works on Windows phone and iPhone , but not on the Android. This case is related with the Lync app issue with Android.

    If you have add the correct http binding with the certificate hash than Lync mobile on android will work.

    but in our case we used unique certificate and than MFA activation did not work either. So as you can only add one ipport0.0.0.0:443 related with the certificate has, you can NOT use unique certificate for ADFS federation and MFA activation on the same server using a single IP address.

    We found two solutions:

    1) Either use a wildcard or SAN certificate

    2) Bind the unique certificate namen with a unique ip address.

    Thursday, April 2, 2015 7:31 AM
  • Hello!

    "Azure Authenticator" app for Android don't support "Server Name Indicator (SNI), that will cause the activation to fail. If the Azure MFA Mobile App web site is configured with this on IIS, this must be switched off.

    If you have publised the "Azure MFA Mobile App" web site via "Web Application Proxy (WAP)", you will face same issue, as "Web Application Proxy" uses "SNI" for all bindings when Publishing the web sites.

    I have been able to resolve this on the web Application Proxy, by adding an static SSLCert binding by using following command:

    Nesth http add ssl cert ipport=0.0.0.0:443 certhash=xxxxxxxxxxxxxxxxx appid={xxxxxxx-xxxxx} certstorename=MY

    The problem applies to older version of Android. 
    Version 6 of Android do not have this problem.


    Best Regards Anders Horgen


    • Proposed as answer by Anders Horgen Thursday, September 24, 2015 9:21 AM
    • Edited by Anders Horgen Friday, January 20, 2017 9:04 AM Updated infrormation
    Thursday, September 24, 2015 9:21 AM
  • I have the same scenario, using a third party wildcard certificate and using Windows Server 2012 R2/IIS 8. SNI is disabled. Did you find any other resolution/workaround for this.

    I get this in the logs:-

    2015-10-08T11:58:24.829747Z|e|1728|5516|pfsvc|Phone App activation code '704749090' not valid, device token 'APA91bFao3EAG7FpnC5VeMWmFN-_9RBD4jhAQqx4VjMincdTpZkf_eudv8Y28I7FWYcSQT3ULvtl-Wjie1Bj04gDDRbVWPBLBKvG1IVUI0s9dhvoktdLOvBDtOA0ieaw0Pv7hwi7I4-q' device name 'Mi 4i'
    2015-10-08T11:59:58.423195Z|0|1728|5580|rpcIfCallback,rpcServer|ifc=a8841724-a80c-4038-85dc-b8abfe27a4bc, context=0x00000000001B9D80
    2015-10-08T12:00:00.584752Z|0|1728|5580|rpcIfCallback,rpcServer|ifc=2d4baaca-d42b-4461-99db-da9db1b9fa80, context=0x00000000001B9D80
    2015-10-08T12:00:00.600365Z|e|1728|5580|iisabo|WMI error: -2147217394
    2015-10-08T12:00:01.443426Z|e|1728|5516|credStore|Couldn't read credential identified by 'PfSmtp'. Element not found. (0x00000490 = 1168)


    Chitresh Pandit

    Thursday, October 8, 2015 12:16 PM
  • Hello,

    How have you published this Application, behind a reverse Proxy such as "Web Application Proxy" or BigIP etc? Remmember to turn off SNI there as well ;)

    Best Regards Anders Horgen

    Thursday, October 8, 2015 12:18 PM
  • How do I check this on IIS? I just installed the application through the MFA console. I got the sdk's from the MFA console and I installed them. The SDK's created the virtual directories in IIS. Is there any other place where I need to check WAP

    Chitresh Pandit

    Thursday, October 8, 2015 12:48 PM
  • I would also like to add that the MFA and Mobile App Authentication Application is hosted on Azure server. The azure server doesnt have a public IP and it shares the public Ip of the cloud service. So when we open the MobileAppWebService we reach the service like https://cloudservice.cloudapp.net/MobileAppWebService.

    Since, we didnt want to use this URL so we created an alias in the public dns for cloudservice.cloudapp.net to resolve to something like mfa.companyname.com/

    In Nutshell :- the MFA server resides behind a load balancer and we hit the loadbalancer to reach to the MobileAuth Application.

    Much Appreciated,

    Chitresh


    Chitresh Pandit

    Thursday, October 8, 2015 1:05 PM