The following forum(s) have migrated to Microsoft Q&A (Preview): Azure Multi-Factor Authentication!
Visit Microsoft Q&A (Preview) to post new questions.

Learn More

 locked
MFA Server - ADFS - No IP Address RRS feed

  • Question

  • Hi,

    We have configured MFA Server and everything is working apart from Trusted IPs from the ADFS login.

    When I check the activity report in Azure AD I can see the external IPs are recorded for both our radius server and the MFA Server User Portal but it is not recorded when I authenticate via MFA through the ADFS login page.

    How do I configure ADFS to record the external IP?

    Thanks

    Friday, March 1, 2019 5:15 PM

All replies

  • Make sure that you have updated your server and have the latest ADFS version. This can sometimes happen if you have not done these things. 

    If you are using a WAP server for external access can you check what you see there?

    Also, make sure that you are not facing an ADFS account lockout.

    Wednesday, March 6, 2019 12:09 AM
  • Any updates?
    Wednesday, March 6, 2019 7:27 PM
  • I have updated the MFA Servers from 8.0.0.3 to 8.0.1.1 but still get the same issue.

    No account lockouts.

    We do have a WAP server for external access, what am I looking for, can you point me in the direction of any logs etc?

    Wednesday, March 6, 2019 8:40 PM
  • Sorry for the late reply!

    First

    Log gathering

    Check the server logs from -

    1. The whole MFA server "logs" folder. Usually they reside in the default installation location - C:\Program Files\Multi-Factor Authentication Server\Logs.

    You can also  browse the logs by going to MFA UI > Logging > View Log files

    ** Note ** Always check "view log files" on the MFA UI. This creates the latest MFA configuration file.

    2. MFA logs from the Azure MFA portal. This is necessary when troubleshooting the phone call/SMS/mobile app on the backend. To get this log -

    i. Go to the MFA portal

    ii. Usage > User details

    3. Packet capture (Wireshak, Netmon) on the MFA server for Radius/LDAP and other network related issue.

    4. Event viewer logs in case the service crashes.

    5. For SSL issue, check the security/system event viewer.

    Second:

    Log Files

    1. On-prem MFA logs are generated in UTC time. But the Azure portal logs on Azure are generated in US Central time.

    2. Logs files do not replicate between the master and slave. So we need to get the logs from both in some scenarios.

    3. We will see the following log files under logs folder and we need to check


    MultiFactorAuthSvc.log - The MultiFactorAuth service logs to the MultiFactorAuthSvc.log file. This service is responsible for maintaining the data file and processing authentication requests.


    This is the most important file to check when any issue happens.


    MultiFactorAuthUI.log - For any UI related issue, we check this file.


    MultiFactorAuthUserPortal.log - The User Portal logs to the MultiFactorAuthUserPortal.log file.  Logging can be turned on by checking the Enable Logging checkbox in the Settings tab of the User Portal section.


    The account used as the identity of the web application's application pool must be granted modify access to the Program Files\Multi-Factor Authentication Server\Logs directory.


    MultiFactorAuthAdSyncSvc.log - The MultiFactorAuthAdSync service logs to the MultiFactorAuthAdSyncSvc.log file.  This service is responsible for synchronizing users with Active Directory or LDAP.


    MultiFactorAuthRadiusSvc.log - The MultiFactorAuthRadius service logs to the MultiFactorAuthRadiusSvc.log file.  This service is responsible for processing RADIUS requests.


    MultiFactorAuthLdapSvc.log - The MultiFactorAuthLdap service logs to the MultiFactorAuthLdapSvc.log file.  This service is responsible for processing LDAP requests.


    MultiFactorAuthAdfsAdapter.log - The MultiFactorAuthAdfsAdapter logs to the MultiFactorAuthAdfsAdapter.log file.  This plug-in is responsible for adding Multi-Factor Authentication to AD FS authentications.


    MultiFactorAuthIsapi.log - Not used that much with the recent MFA deployments.


    MultiFactorAuthIisNm.log - The PfIisNm component logs to the MultiFactorAuthIisNm.log file.  The PfIisNm component integrates with IIS as a native module to provide for IIS Authentication.


    The account used as the identity of the web application's application pool must be granted modify access to the Program Files\Multi-Factor Authentication Server\Logs directory.


    4. MFA Configuration file - The MFA configuration file is also found under the logs folder "MultifactorAuthConfiugration_YYYYMMDDxxxx". This file does not update automatically and we need to click on "View log files" under logging on


    MFA UI to generate a new one.


    If user portal and ADFS adapter is not installed on an MFA server, we can enable the logs in the following way -


    - Add HKLM\Software\Wow6432Node\Positive Networks\PhoneFactor\InstallPath string value.  You’ll likely have to create Positive Networks and PhoneFactor keys.


    - Set the string value to a path on the server (e.g. c:\MFA Server\).  Be sure to include the trailing backslash.


    - Make sure that a Logs directory exists under the path you specified (e.g. c:\MFA Server\Logs)


    - Grant Modify access to the Logs directory to the AD FS service account.


    The registry entry is the same one used by all MFA Server components for logging. Whenever you install the AD FS adapter or User Portal on a separate box, the registry entry doesn’t exists, but you can create it manually so that the component will know where to log.

    Monday, April 22, 2019 8:15 PM
  • If you are still having issues feel free to email me at AzCommunity@microsoft.com, include your subscription ID in the email, and I will open up a free support case for you.
    Monday, April 22, 2019 8:16 PM