locked
ADFS + Azure MFA with WAP PreAuthentication (HTTP Basic) not working RRS feed

  • Question

  • Hello

    i am trying since days to setup WAP PreAuth for HTTP Basic with Azure MFA without any success.

    Here is my configuration for Non Claims Aware Relying Party Trust:

    ADFS Config

    (only difference is the identifier and name but this should not matter i guess)

    AlwaysRequireAuthentication   : False
    Enabled                       : True
    Identifier                    : {https://web.contoso.com}
    PublishedThroughProxy         : True
    IssuanceAuthorizationRules    :
    Name                          : Web
    Notes                         :
    ObjectIdentifier              : a4f7a483-44ef-e911-a829-005056aabcca
    ProxiedTrustedEndpoints       : {https://web.contoso.com/}
    AdditionalAuthenticationRules :
    AccessControlPolicyName       : Permit everyone and require MFA
    ClaimsProviderName            : {}
    AccessControlPolicyParameters :
    ResultantPolicy               : RequireFreshAuthentication:False
    IssuanceAuthorizationRules    :
                                    {
                                      Permit users
                                        and when authentication includes MFA
                                    }


    Here is the WAP Config:

    Add-WebApplicationProxyApplication

    -BackendServerUrl 'https://web.contoso.com'

    -ExternalCertificateThumbprint 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

    -ExternalUrl 'https://web.contoso.com'

    -Name 'WAP Web' -ExternalPreAuthentication ADFSforRichClients

    -ADFSRelyingPartyName 'Web'

    when now entering the url https://web.contoso.com, "Forms Authentication" (for Extranet) comes up, asking to insert username and password. But then, instead of authenticating through Microsoft Authenticator App, i am instantly receiving a HTTP ERROR 500

    following stats in the Eventlog/Security:

    Audit Success EventID1202:

    The Federation Service validated a new credential. See XML for details. 
    
    Activity ID: 634bb76b-a44d-4ff1-1301-0080000000f9 
    
    Additional Data 
    XML: <?xml version="1.0" encoding="utf-16"?>
    <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit">
      <AuditType>FreshCredentials</AuditType>
      <AuditResult>Success</AuditResult>
      <FailureType>None</FailureType>
      <ErrorCode>N/A</ErrorCode>
      <ContextComponents>
        <Component xsi:type="ResourceAuditComponent">
          <RelyingParty>http://adfs.contoso.com/adfs/services/trust</RelyingParty>
          <ClaimsProvider>AD AUTHORITY</ClaimsProvider>
          <UserId>contoso\testuser</UserId>
        </Component>
        <Component xsi:type="AuthNAuditComponent">
          <PrimaryAuth>N/A</PrimaryAuth>
          <DeviceAuth>false</DeviceAuth>
          <DeviceId>N/A</DeviceId>
          <MfaPerformed>false</MfaPerformed>
          <MfaMethod>N/A</MfaMethod>
          <TokenBindingProvidedId>false</TokenBindingProvidedId>
          <TokenBindingReferredId>false</TokenBindingReferredId>
          <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
        </Component>
        <Component xsi:type="ProtocolAuditComponent">
          <OAuthClientId>N/A</OAuthClientId>
          <OAuthGrant>N/A</OAuthGrant>
        </Component>
        <Component xsi:type="RequestAuditComponent">
          <Server>http://adfs.contoso.com/adfs/services/trust</Server>
          <AuthProtocol>MSISActive</AuthProtocol>
          <NetworkLocation>Extranet</NetworkLocation>
          <IpAddress>172.16.11.4</IpAddress>
          <ForwardedIpAddress>172.16.11.4</ForwardedIpAddress>
          <ProxyIpAddress>N/A</ProxyIpAddress>
          <NetworkIpAddress>N/A</NetworkIpAddress>
          <ProxyServer>WAP</ProxyServer>
          <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36</UserAgentString>
          <Endpoint>https://web.contoso.com/</Endpoint>
        </Component>
      </ContextComponents>
    </AuditBase>

    Audit Success EventID1202:

    The Federation Service issued a valid token. See XML for details. 
    
    Activity ID: 634bb76b-a44d-4ff1-1301-0080000000f9 
    
    Additional Data 
    XML: <?xml version="1.0" encoding="utf-16"?>
    <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
      <AuditType>AppToken</AuditType>
      <AuditResult>Success</AuditResult>
      <FailureType>None</FailureType>
      <ErrorCode>N/A</ErrorCode>
      <ContextComponents>
        <Component xsi:type="ResourceAuditComponent">
          <RelyingParty>urn:AppProxy:com</RelyingParty>
          <ClaimsProvider>AD AUTHORITY</ClaimsProvider>
          <UserId>contoso\testuser</UserId>
        </Component>
        <Component xsi:type="AuthNAuditComponent">
          <PrimaryAuth>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</PrimaryAuth>
          <DeviceAuth>false</DeviceAuth>
          <DeviceId>N/A</DeviceId>
          <MfaPerformed>false</MfaPerformed>
          <MfaMethod>N/A</MfaMethod>
          <TokenBindingProvidedId>false</TokenBindingProvidedId>
          <TokenBindingReferredId>false</TokenBindingReferredId>
          <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
        </Component>
        <Component xsi:type="ProtocolAuditComponent">
          <OAuthClientId>N/A</OAuthClientId>
          <OAuthGrant>N/A</OAuthGrant>
        </Component>
        <Component xsi:type="RequestAuditComponent">
          <Server>http://adfs.contoso.com/adfs/services/trust</Server>
          <AuthProtocol>MSISActive</AuthProtocol>
          <NetworkLocation>Extranet</NetworkLocation>
          <IpAddress>172.16.11.4</IpAddress>
          <ForwardedIpAddress>172.16.11.4</ForwardedIpAddress>
          <ProxyIpAddress>N/A</ProxyIpAddress>
          <NetworkIpAddress>N/A</NetworkIpAddress>
          <ProxyServer>WAP</ProxyServer>
          <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36</UserAgentString>
          <Endpoint>https://web.contoso.com/</Endpoint>
        </Component>
      </ContextComponents>
    </AuditBase>

    Audit Failure EventID 1201

    The Federation Service failed to issue a valid token. See XML for failure details. 
    
    Activity ID: 634bb76b-a44d-4ff1-1301-0080000000f9 
    
    Additional Data 
    XML: <?xml version="1.0" encoding="utf-16"?>
    <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
      <AuditType>AppToken</AuditType>
      <AuditResult>Failure</AuditResult>
      <FailureType>IssuanceDelegationError</FailureType>
      <ErrorCode>N/A</ErrorCode>
      <ContextComponents>
        <Component xsi:type="ResourceAuditComponent">
          <RelyingParty>urn:AppProxy:com</RelyingParty>
          <ClaimsProvider>AD AUTHORITY</ClaimsProvider>
          <UserId>contoso\testuser</UserId>
        </Component>
        <Component xsi:type="AuthNAuditComponent">
          <PrimaryAuth>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</PrimaryAuth>
          <DeviceAuth>false</DeviceAuth>
          <DeviceId>N/A</DeviceId>
          <MfaPerformed>false</MfaPerformed>
          <MfaMethod>N/A</MfaMethod>
          <TokenBindingProvidedId>false</TokenBindingProvidedId>
          <TokenBindingReferredId>false</TokenBindingReferredId>
          <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
        </Component>
        <Component xsi:type="ProtocolAuditComponent">
          <OAuthClientId>N/A</OAuthClientId>
          <OAuthGrant>N/A</OAuthGrant>
        </Component>
        <Component xsi:type="RequestAuditComponent">
          <Server>http://adfs.contoso.com/adfs/services/trust</Server>
          <AuthProtocol>MSISActive</AuthProtocol>
          <NetworkLocation>Extranet</NetworkLocation>
          <IpAddress>172.16.11.4</IpAddress>
          <ForwardedIpAddress>172.16.11.4</ForwardedIpAddress>
          <ProxyIpAddress>N/A</ProxyIpAddress>
          <NetworkIpAddress>N/A</NetworkIpAddress>
          <ProxyServer>WAP</ProxyServer>
          <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36</UserAgentString>
          <Endpoint>https://web.contoso.com/</Endpoint>
        </Component>
      </ContextComponents>
    </AuditBase>

    Following is in the "Applications and Services Logs - AD FS - Admin:

    Error, Source AD FS, Event ID 521

    The request for the relying party token resulted in a failure. 
    
    Authentication information:  
    The client was authenticated using the client certificate with thumbprint 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' and subject 'CN=ADFS ProxyTrust - DE-SRV-WAP01'. 
    
    HTTP method: 
    Post 
    
    Username:  
    contoso\testuser 
    
    Password presented:  
    True 
    
    Realm: 
    urn:AppProxy:com 
    
    Application realm:  
    a4f7a483-44ef-e911-a829-005056aabcca 
    
    Device registration certificate thumbprint:  
    <null> 
    
    User certificate thumbprint:  
    <null> 
    
    Error information: 
    MSIS5007: The caller authorization failed for caller identity contoso\testuser for relying party trust https://web.contoso.com. 
    
    User action: 
    Examine the request and verify that at least one of the following parameter sets are present. 
      Username and password 
      Username, password, and device registration certificate 
      User certificate

    Following is in the "Applications and Services Logs - AD FS Tracing - Debug:

    Error, Source AD FS Tracing, Event ID 107

    RelyingPartyTokenHandler.ProcessPostRequest: SecurityTokenValidationException thrown.
     AppliesTo: https://web.contoso.com
     CallerIdentity: contoso\testuser
     Message: MSIS5007: The caller authorization failed for caller identity contoso\testuser for relying party trust https://web.contoso.com.


    Azure MFA Plugin is installed and working properly for other ClaimsAware Relying Party Trusts, so i guess ADFS + Azure MFA is not the issue.

    Also, if i set the IssuanceAuthorizationRule to "Permit User" (without MFA), "Forms Authentication" comes up and i can login without any issue.

    Trying since days to find the issue but i really have no idea, would be glad if someone can give me a hint!

    Thanks a lot in advance


    Wednesday, October 16, 2019 12:34 PM