locked
Azure Authenticator App on Android - your device does not trust the activation url RRS feed

  • Question

  • Hi,

    We have Azure MFA on-premise (all parts installed on the same server that is hosting ADFS). When an Android user tries to add the account to the Azure Authenticator App they get the error message "We couldn't add the account as your device does not trust the activation URL". IOS and Windows 10 mobile users are able to add an account to the Authenticator app without any problems.

    Our User Portal and mobile phone portal are both published using our WAP server (all on 2012 R2), using the same hostname as the ADFS server and using a Digicert wildcard certificate (we've tried with also with a Digicert with the specific hostname).

    The MFA logs just show: "Phone App activation code 'xxxxxxxxx' generated for user" - but nothing logged after that.

    The device logs from the Android phone (running Android 5.0) shows the error below:

     Error | ActivationTask |    |--faultString  - javax.net.ssl.SSLPeerUnverifiedException: No peer certificate | 
     Error | ActivationTask |    |--httpResponse - null | 
     Info | ActivationTask | doInBackground : END result.activationResult - PFPAWS_FAILED_NO_PEER_CERTIFICATE | 
     Error | ActivationTask | Activation Result = PFPAWS_FAILED_NO_PEER_CERTIFICATE | 
     Error | ActivationTask | Activation m_error = Server Error | 
     Error | NewMfaAccountFragment | onActivationFailed, reason = PFPAWS_FAILED_NO_PEER_CERTIFICATE |

    But browsing to the website from the browser on the Android device doesn't give any certificate errors and the Digicert "test certificate" site shows the certificate is all ok.

    Not sure what else to check for as other posts related to Android are about a different error on the device or the error coming after consumption of the token.

    Thanks,

    Mark

    Wednesday, January 20, 2016 10:08 AM

Answers

  • Hello Mark,

    Greetings!

    We are pleased to answer your query. With regards to your query, The Android version of Azure Authenticator doesn’t support SNI. You can work around it by configuring a fallback certificate as instructed at the blog How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2 .

    Hope this helps!

    Best Regards

    Kamalakar

    _____________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.


    • Edited by Kamalakar Kamsani Thursday, January 21, 2016 1:01 PM
    • Marked as answer by markt32 Friday, January 22, 2016 11:36 AM
    Thursday, January 21, 2016 12:58 PM

All replies

  • Hello Mark,

     

    We are working on the query and would get back to you soon on this. I apologize for the inconvenience and appreciate your time and patience in this matter.

     

    Best Regards,

    Kamalakar K

    Wednesday, January 20, 2016 8:13 PM
  • Hello Mark,

    Greetings!

    We are pleased to answer your query. With regards to your query, The Android version of Azure Authenticator doesn’t support SNI. You can work around it by configuring a fallback certificate as instructed at the blog How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2 .

    Hope this helps!

    Best Regards

    Kamalakar

    _____________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.


    • Edited by Kamalakar Kamsani Thursday, January 21, 2016 1:01 PM
    • Marked as answer by markt32 Friday, January 22, 2016 11:36 AM
    Thursday, January 21, 2016 12:58 PM
  • Hi Kamalakar,

    Thanks - followed the steps from the linked TechNet blog and configured a failback certificate and its all working now!

    • Proposed as answer by Pungami Wednesday, September 7, 2016 2:10 PM
    • Unproposed as answer by Pungami Wednesday, September 7, 2016 2:10 PM
    Friday, January 22, 2016 11:37 AM
  • Hi.  Had this issue too.  Checked for SNI on WAP etc, seemed configured ok.  Turned out we didn't have the full chain imported with the certificate on the F5 load balancer  VIP /Edge box infront of our Azure MFA IIS box.  Once we imported the certificate with the full chain, we were all good. Combined Entrust, Root, Intermediate1, Intermediate2 & site Certificate into a text file and imported all together for the SSL client profile.  Android didn't trust the certificate unless the full chain was part of it...
    Friday, October 21, 2016 8:09 AM