none
MFA master server connectivity issue from SSL inspection RRS feed

  • Question

  • From: Ray W @JwoWong via Twitter

    If you can tell us why the MFA installation is dropping the connection to the master server when SSL inspection is on?

    Thanks,

    @AzureSupport

    Monday, November 9, 2015 8:22 PM

Answers

  • The MFA Server must be able to establish a secure connection to the MFA cloud service without any certificate errors or warnings. If you are decrypting the SSL traffic in the web gateway and then re-encrypting from there to the MFA cloud service, that won't work because you don't have the private certs in your gateway that exist in the MFA cloud service, and the certs used in the gateway don't match the domain that the MFA Server is connecting to.
    Wednesday, November 11, 2015 10:22 PM
    Moderator
  • Correct. The MFA Server must be able to establish a secure connection to the MFA cloud service without any certificate errors or warnings. Otherwise, man-in-the-middle attacks would be possible. You can route the traffic through a proxy server no problem, but the proxy can't decrypt and then re-encrypt the traffic.
    Wednesday, November 18, 2015 7:59 PM
    Moderator

All replies

  • Hi,

    My client is looking for a MFA solution for their ADFS/SharePoint Extranet.  We recommended Azure MFA.  We have MFA server installed in their perimeter network and the installation went through OK, but when we try to activate it, it returned "Error determining the master multi-factor authentication server. User interface will now close".  Checking the MultiFactorAuthSvc.log, I am seeing this :-

    

    Now, they do secure web gateway SSL inspection for all incoming and outgoing internet traffic due to statutory requirements.   The security team is indicating that :

    We see a successful HTTPS connection originated from the MFA server to https://pfd.phonefactor.net/pfd/pfd.pl via the PFA user-agent using the POST web method during the activation, however this communication is quickly aborted by the MFA server after this initial connection is established.  It is likely that this process is validating and is expecting Globalsign to be the Certificate issuer thus when the process see Enterprise CA as the certificate issuer, the connection aborts as a security measure to indicate man-in-the-middle activity.

    Was wondering if you have come across issue from other customer?  Thanks for your help.  I want to get this resolve for them so that they have a green light to subscribe for the Azure Cloud services.

    The only thing I know which come close to this is the following thread.

    https://social.technet.microsoft.com/Forums/office/en-US/13292985-7546-46c1-ad46-c253f1bed831/azure-multifactor-authentication-activate-fail?forum=windowsazureaditpro

    I was wondering if any one has come across similar issues and potential fixes to resolve this?


    • Edited by Jwo Wong Monday, November 9, 2015 11:22 PM Reword
    Monday, November 9, 2015 8:58 PM
  • We have also imported the GlobalSign certs from https://support.globalsign.com/customer/portal/articles/1426602-globalsign-root-certificates into the trusted root certificate store of the MFA server but the problem still persists.  

    Tuesday, November 10, 2015 6:22 AM
  • The MFA Server must be able to establish a secure connection to the MFA cloud service without any certificate errors or warnings. If you are decrypting the SSL traffic in the web gateway and then re-encrypting from there to the MFA cloud service, that won't work because you don't have the private certs in your gateway that exist in the MFA cloud service, and the certs used in the gateway don't match the domain that the MFA Server is connecting to.
    Wednesday, November 11, 2015 10:22 PM
    Moderator
  • @Shawnb_ms,

    So, there is no way to get MFA working with SSL inspection enable?  SSL Inspection is a very a common security practice for most enterprise environment and I find it hard to believe this is a show stopper.

    Please confirm.  Thanks.

    Ray


    • Edited by Jwo Wong Thursday, November 12, 2015 6:13 AM
    Thursday, November 12, 2015 6:13 AM
  • Correct. The MFA Server must be able to establish a secure connection to the MFA cloud service without any certificate errors or warnings. Otherwise, man-in-the-middle attacks would be possible. You can route the traffic through a proxy server no problem, but the proxy can't decrypt and then re-encrypt the traffic.
    Wednesday, November 18, 2015 7:59 PM
    Moderator