locked
Additional Authentication Rules invisible after reboot RRS feed

  • Question

  • I guess someone else must have met this issue but I couldn't find anything out there.

    We have installed ADFS on Windwos Server 2012 R2 to federate with O365. This works perfectly.

    Then we added some "Additional Authentication Rules" (Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules "...") to skip MFA for some applications. This also works well.

    The issue is that after rebooting ADFS server these rules are not retrieved by Get-AdfsRelyingPartyTrust. They are still being executed since everything works as expected so they must be saved in the database but they cannot be managed with GUI or Powershell.

    I get the known follwing error if I try to reset these rules with Set-AdfsRelyingPartyTrust:

    "ADMIN0031: Configuring multiple policies of type 'StrongAuthentication' is not supported."

    I know that MS advises to recreate the whole RPT to solve this error: https://social.technet.microsoft.com/Forums/en-US/bf0ebb20-05c2-4632-b213-7b9b61c604b9/setadfsrelyingpartytrust-syntax-error-assistance?forum=ADFS

    But obviously you would run into the same issue when the server restarts after updates.

    So my question is: Do your additional authentication rules (if you created any from Powershell) become invisible after reboot

    Wednesday, November 16, 2016 4:49 PM

All replies

  • I have never encounter that behavior before. 

    I also tried it in my lab, both adding AdditionalAuthenticationRules via GUI and via PowerShell.

    $add = @"
    c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "<SID FOR DOMAIN USER>"]
    => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
    "@
    
    Set-AdfsRelyingPartyTrust -TargetName testapp -AdditionalAuthenticationRules $add

    And rebooted between each change, after each reboot I still see the AdditionalAuthenticationRules when running
    Get-AdfsRelyingPartyTrust | select Name,AdditionalAuthenticationRules.

    How does the GUI looks like, is the application still listed as Relying Party Trust with custom authentication settings ?

    Wednesday, November 16, 2016 7:28 PM
  • The application was listed as Relying Party Trust but somehow it was under global authentication settings even though it had custom "Additional Authentication Rules".

    Anyway, I removed the Relying Party Trust completely and recreated it. Then set the "Additional Authentication Rules" via Powershell and it seems to be working fine even after reboot.

    Thanks

    Monday, November 21, 2016 7:08 AM
  • I just remembered that when I had this issue, before setting the custom "Additional Authentication Rules", there were "Additional Authentication Rules" in my global MFA policy already.

    This time I disabled all "Additional Authentication Rules" from the global MFA policy and then set then per Relying Party Trust.

    Monday, November 21, 2016 7:14 AM