locked
MFA Relying Party Issue from O365. RRS feed

  • Question

  • Hi Everyone,

    long time lurker first time poster.

    The issue that I am experiencing is the following error in AFDS Admin logs, following a sign-on on my ADFS Server after a redirection from Office 365. What should happen is a subsequant redirect back to login.microsoft for Multi-factor authentication. The specific error is;

    Encountered error during federation passive request. 
    
    Additional Data 
    
    Protocol Name: 
    wsfed 
    
    Relying Party: 
    urn:federation:MicrosoftOnline 
    
    Exception details: 
    System.Exception: Exception calling SAS. ---> System.NullReferenceException: Object reference not set to an instance of an object.
       at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
       at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
       at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    
    System.NullReferenceException: Object reference not set to an instance of an object.
       at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
    

    I have a UAT or LAB Environment which working fine, but after building out production, and importing configuration from ADFS 2.0 to my ADFS 2016 environment, I have the above. Lost as to even where to begin looking. Any help would be appreciated. Many thanks.

    Thursday, November 2, 2017 9:41 AM

All replies

  • Hi,

    The Azure MFA adapter configuration file is as follows (for simplicity I’m using username and password, I imagine you’ll be using a certificate, but it’s unimportant for this particular issue):

    <ConfigurationData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <UseWebServiceSdk>true</UseWebServiceSdk>
        <WebServiceSdkUrl>https://mfa.abstractsynapse.com/MultiFactorAuthWebServiceSdk</WebServiceSdkUrl>
        <WebServiceSdkUsername>EMEA\svc-amfa</WebServiceSdkUsername>
        <WebServiceSdkPassword>YourPasswordGoesHere</WebServiceSdkPassword>
        <WebServiceSdkCertificateThumbprint></WebServiceSdkCertificateThumbprint>
    </ConfigurationData>

    Resolution:

    Enter the Web Service SDK URL correctly!

    You must remember to include pfwssdk.asmx in the WebServiceSdkUrl element, e.g.

    <WebServiceSdkUrl>https://mfa.abstractsynapse.com/MultiFactor

    Regards

    Saurabh


    Please remember to mark the solution as the answer using "Mark as Answer". If you find a solution to be helpful, please use "Vote as Helpful".



    • Edited by Saurabh_Y Thursday, January 11, 2018 6:28 AM
    Tuesday, January 9, 2018 9:43 AM
  • Hi,

    Please be free to mark it as answer. if you find my contribution useful. That will encourage me - and others - to take time out to help you.


    Cheers,

    Saurabh

    Please remember to mark the solution as the answer using "Mark as Answer". If you find a solution to be helpful, please use Vote as Helpful

    Thursday, January 11, 2018 6:29 AM