locked
ADFS 3.0 MFA will not work because IE will not prompt for Certificate

    Question

  • Hello

    I have the following Problem. ADFS 3.0 is working pretty good in my Environment.
    But when i enable "MFA" with Certificates the Login accept the first Factor an prompt me to select a Cert. Here is the Problem the IE do not Show any Dialog to select the USER Certificate.

    Can'f find anything in the logs.

    The site is in the Trusted Zone & PopUpBlocker is disabled

    Thx for your help

    Daniel

    Wednesday, June 10, 2015 8:29 AM

Answers

  • Hello,

    same Problem. Root certificate was added on Server and firewall is setuped correct. click on Website to Login with certificate will load and than abort. No error logs.

    Any solution?

    Kind Regards

    Andi

    [SOLVED] Port / Firewall Problem :(


    Ich bin x500, Ich darf das :)


    Wednesday, February 3, 2016 11:23 AM
  • It is mentioned that it was a firewall issue. Note that certificate based authentication is using the port 49443 in Windows Server 2012 R2 ADFS.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, May 19, 2016 1:22 PM
    Moderator

All replies

  • Hi Daniel,

    AFAIR IE will show the selection dialog only when you have > 2 certificates.

    Are you sure you have a correct certificate with logon purpose to be chosen? Is it software-issued (in the Local User store) or hardware-issued (on the smartcard)? 


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Tuesday, June 16, 2015 12:24 AM
  • Daniel,

    I have the same issue.

    Were you able to resolve this?

    I have an Enterpris CA, that issued a user cert (Personal for Client Authetication).  All legs of ADFS trust my root cert, yet when I try to use cert based auth, I never get prompted and the auth fails (I just get page cannot be displayed).

    Wednesday, July 1, 2015 5:48 PM
  • Hi kered248,

    Check if you have configured MFA with certificates authentication:

    1. Right click on Authentication Plicies - Edit Global Primary Authentication

    2. For extranet/intranet (depeneind where you client is located in LAN or connecting throught WAP) select Certificate Authentication

    3. Go to Multi-Factor tab and to select Certificate Authentication at the bottom

    Alos, TechNet ADFS requirements are stating that "In addition, if client user certificate authentication (clientTLS authentication using X509 user certificates) is required, AD FS in Windows Server 2012 R2 requires that TCP port 49443 be enabled inbound on the firewall between the clients and the Web Application Proxy. This is not required on the firewall between the Web Application Proxy and the federation servers)." Ref. https://technet.microsoft.com/en-us/library/dn554247.aspx?f=255&MSPPError=-2147217396


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Saturday, July 18, 2015 1:15 PM
  • Hello,

    Have the same problem ! And all pre-requisite  (authent policies + 49443 port) are ok !

    Thursday, August 13, 2015 1:50 PM
  • Hello Daniel,

    I have the same issue.

    Were you able to resolve this?

    thanxs

    Thursday, August 13, 2015 1:51 PM
  • Ups, wanted to click "Reply"

    Have you checked that in ADFS console you have Certificate Authentication enabled in Edit Global Primary Authentication settings?

    Also:

    1. Certificates you want to use need to be logon certificates (signature) and not encryption types

    2. Can you try to issue 2 certificates (If you have only 1 maybe it is not shown?)

    3. Are certificates expired - if yes, thoes will not be shown. Also you need to have a private key (that is rather obvious, right?) with your certificate

    4. Also on ADFS and WAP servers you need to add Root and Issuing CA (I think Issuing CA only) certificates to the Trusted Root CA store of the local machine certificates mmc (certlm.msc)

    5. Try to use IE and Chrome (for me both work the same)


    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    • Proposed as answer by Reittier Tuesday, November 10, 2015 9:30 AM
    Saturday, August 15, 2015 7:03 PM
  • Step 4

    "Also on ADFS and WAP servers you need to add Root and Issuing CA"

    fixed the same problem for me, hadn't added the root CA cert. to the non-domainjoined WAP, now my browser now asks for the certificate. Still doesn't continue logging on though. Still working on that issue.

    Tuesday, November 10, 2015 9:33 AM
  • Glad I could help :)

    Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer.

    Sunday, November 15, 2015 8:33 PM
  • was anyone able to resolve this issue?
    Monday, January 25, 2016 3:32 AM
  • Hello,

    same Problem. Root certificate was added on Server and firewall is setuped correct. click on Website to Login with certificate will load and than abort. No error logs.

    Any solution?

    Kind Regards

    Andi

    [SOLVED] Port / Firewall Problem :(


    Ich bin x500, Ich darf das :)


    Wednesday, February 3, 2016 11:23 AM
  • did you get an answer to this?

    Thursday, May 12, 2016 5:17 PM
  • It is mentioned that it was a firewall issue. Note that certificate based authentication is using the port 49443 in Windows Server 2012 R2 ADFS.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, May 19, 2016 1:22 PM
    Moderator