locked
Issues with Azure MFA and ADFS RRS feed

  • Question

  • I'm having issues with the ADFS plugin. Both of my systems work perfectly well on their own (ADFS and MFA), but when I try to have ADFS invoke MFA, the ADFS server is unable to initiate the MFA process (ADFS takes my credentials, then errors out on the MFA portion).  Logs have been quite useless.  Any suggestions? 
    Thursday, May 26, 2016 7:13 PM

Answers

  • OK,

    I figured this out.  It turns out that selecting an Additional Auth method for only a specific claim via PowerShell is not OK.  You need to actually check something (Azure MFA in my case) in the Global section (again Azure MFA); even though you are not applying any global MFA.


    • Marked as answer by kered248 Thursday, June 2, 2016 12:41 PM
    Thursday, June 2, 2016 12:41 PM

All replies

  • Hi,

    Thanks for posting the query here,

    I suggest you to check this link on ExternalAuthenticationHandler.Process() exception: System.Net.WebException: The request failed with HTTP status 405: Method Not Allowed, where similar invoke MFA authentication fails issue were discussed. 

    Let us know whether it helps you,

    Hope this helps you 

    Thanks & Regards

    Vijisankar.

    __________________________________________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

    Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.
    • Edited by vijisankar Friday, May 27, 2016 3:18 PM
    Friday, May 27, 2016 2:50 PM
  • You need to provide some additional information form the log file.  Which version of MFA serve are you using?

    Santhosh Sivarajan | Houston, TX | www.sivarajan.com
    ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA

    My Books: | Windows Server Security | Windows Server 2012

    Blogs | Twitter | LinkedIn | Facebook|

    This posting is provided AS IS with no warranties, and confers no rights.

    Friday, May 27, 2016 7:11 PM
  • I get these in the ADFS event log...


    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          5/27/2016 1:39:45 PM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          DOMAIN\ADFS_MSA
    Computer:      ADFS1.DOMAIN.com
    Description:
    Encountered error during federation passive request. 

    Additional Data 

    Protocol Name: 
    wsfed 

    Relying Party: 
    urn:federation:MicrosoftOnline 

    Exception details: 
    Microsoft.IdentityServer.RequestFailedException: No strong authentication method found for the request from urn:federation:MicrosoftOnline.
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2016-05-27T17:39:45.167138800Z" />
        <EventRecordID>28372</EventRecordID>
        <Correlation ActivityID="{00000000-0000-0000-5E00-0080000000F5}" />
        <Execution ProcessID="4504" ThreadID="5052" />
        <Channel>AD FS/Admin</Channel>
        <Computer>ADFS1.DOMAIN.com</Computer>
        <Security UserID="S-1-5-21-269168588-1529296069-1648912389-70236" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>wsfed</Data>
            <Data>urn:federation:MicrosoftOnline</Data>
            <Data>Microsoft.IdentityServer.RequestFailedException: No strong authentication method found for the request from urn:federation:MicrosoftOnline.
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean&amp; isLastStage, AuthenticationStage&amp; currentStage, Boolean&amp; strongAuthRequried)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

    And…
    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          5/27/2016 1:39:45 PM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          DOMAIN\ADFS_MSA
    Computer:      ADFS1.DOMAIN.com
    Description:
    Encountered error during federation passive request. 

    Additional Data 

    Protocol Name: 
    msisHttpProtocol 

    Relying Party: 
    urn:AppProxy:com 

    Exception details: 
    Microsoft.IdentityServer.RequestFailedException: No strong authentication method found for the request from urn:AppProxy:com.
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2016-05-27T17:39:45.385884800Z" />
        <EventRecordID>28373</EventRecordID>
        <Correlation ActivityID="{3C1458DE-B781-0000-3259-143C81B7D101}" />
        <Execution ProcessID="4504" ThreadID="5052" />
        <Channel>AD FS/Admin</Channel>
        <Computer>ADFS1.DOMAIN.com</Computer>
        <Security UserID="S-1-5-21-269168588-1529296069-1648912389-70236" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>msisHttpProtocol</Data>
            <Data>urn:AppProxy:com</Data>
            <Data>Microsoft.IdentityServer.RequestFailedException: No strong authentication method found for the request from urn:AppProxy:com.
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean&amp; isLastStage, AuthenticationStage&amp; currentStage, Boolean&amp; strongAuthRequried)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

    Friday, May 27, 2016 8:40 PM
  • Hi,

    You need to install the AD FS Adapter standalone using the Web Service SDK, In order to do that follow below steps:-

    1)Install Web Service SDK on the server running Multi-Factor Authentication Server.
    2)Copy MultiFactorAuthenticationAdfsAdapterSetup64.msi, Register-
    MultiFactorAuthenticationAdfsAdapter.ps1, Unregister-
    MultiFactorAuthenticationAdfsAdapter.ps1, and 
    MultiFactorAuthenticationAdfsAdapter.config files from the \Program Files\Multi-Factor Authentication Server directory to the server you plan to install the AD FS Adapter on.
    3)Run the MultiFactorAuthenticationAdfsAdapterSetup64.msi.
    4)In the Multi-Factor Authentication AD FS Adapter installer, click Next to perform the installation.
    5)Click the Close button when the installation has completed.
    6Edit the MultiFactorAuthenticationAdfsAdapter.config file.

    For Reference you can this documentation on Secure cloud and on-premises resources using Azure Multi-Factor Authentication Server with Windows Server 2012 R2 AD FS.

    Hope this helps you.

    Thanks & Regards

    Vijisankar.

    __________________________________________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful

    Friday, May 27, 2016 10:10 PM
  • Vijisankar,

    Indeed I have done all of those things, I have set the correct URL, as well as the user name and PW.  Here is my config file...

    <ConfigurationData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <UseWebServiceSdk>true</UseWebServiceSdk>
        <WebServiceSdkUrl>https://cloudMFA.XXXXX.com/mfa/PfWsSdk.asmx</WebServiceSdkUrl>
        <WebServiceSdkUsername>XXXXXX\PFUP_CloudMFA2</WebServiceSdkUsername>
        <WebServiceSdkPassword>XXXXXXXXXXXXX</WebServiceSdkPassword>
        <WebServiceSdkCertificateThumbprint></WebServiceSdkCertificateThumbprint>
        <AutomaticallyTriggerUserDefaultMethod>false</AutomaticallyTriggerUserDefaultMethod>
    </ConfigurationData>

    Also, I can verify that the URL is accessible from the ADFS server with the credentials provided in the config file (I used IE to logon to it from the ADFS).  Finally, not only have I registered the MFA using the PS script, as it clearly shows as an available MFA source, but I have since cycled all the ADFS servers in the farm.

    Regards,

    dgp

    Tuesday, May 31, 2016 2:32 PM
  • The "No strong authentication method found for the request" implies either that ADFS couldn't load an available adapter, or possibly that the MFA adapter couldn't return any methods for the user. Is the user that you are signing in with already registered in MFA Server? If not, do you have the "Allow user enrollment" and "Allow users to select method" settings enabled in the MFA Server's ADFS settings?
    • Marked as answer by kered248 Thursday, June 2, 2016 12:33 PM
    • Unmarked as answer by kered248 Thursday, June 2, 2016 12:33 PM
    Wednesday, June 1, 2016 10:32 PM
  • OK,

    I figured this out.  It turns out that selecting an Additional Auth method for only a specific claim via PowerShell is not OK.  You need to actually check something (Azure MFA in my case) in the Global section (again Azure MFA); even though you are not applying any global MFA.


    • Marked as answer by kered248 Thursday, June 2, 2016 12:41 PM
    Thursday, June 2, 2016 12:41 PM
  • I've also experienced this error after reinstalling the MFA software

    Turns out uninstalling the ADFS adapter does not remove the authentication method in ADFS.

    You'll need to deselect it, then run Unregister-MultiFactorAuthenticationAdfsAdapter.ps1  (as admin) to remove it

    After installation run Register-MultiFactorAuthenticationAdfsAdapter.ps1 (also as admin) to register it again and select it again

    Only after that the MFA adapter started working again for us

    Tuesday, March 7, 2017 10:06 AM