locked
Implementing ADFS 2016 with Azure Muti-Factor Authentication RRS feed

  • Question

  • Hello gents,

    I have installed ADFS 2016 and configured a new application. There is a business requirement to use two factor authentication.

    Since we are licensed for Azure AD Premium, I decided to use Azure MFA as an additional authentication method.

    I have configured Azure MFA with ADFS 2016 using the following MS manual:

    https://docs.microsoft.com/he-il/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa

    Technically Azure Multifactor Authentication is working, but it seems to be limited only to verification code from MS authentication path?!

    When I choose Azure MFA as authentication method, I only have the option to login using User Name and verification code? Why can't I use AD password for authenticating and then verification code/ authentication app/SMS/phone call ?

    What did I miss in my configuration? Please help.

    Thursday, April 27, 2017 8:51 AM

Answers

  • Hello

    It sounds like you might have enabled Azure MFA as a Primary Authentication Method. As far as I know, in this scenario you will find that you are only prompted for a User Name and a Verification Code when you go to login.

    1. ADFS > Service > Authentication Methods > Edit Primary Authentication Methods
    2. Untick Azure MFA from the Extranet & Intranet options
    3. Go to the Multi-factor tab, select Azure MFA

    This will enable Azure MFA as an additional authentication method. You can then go to the Access Control Policy for you relying party or application and in the policy rules add "and require multi-factor authentication". You can do this for specific groups or from specific places, or you can do it for everyone.

    Sunday, April 30, 2017 2:19 AM

All replies

  • Hello

    It sounds like you might have enabled Azure MFA as a Primary Authentication Method. As far as I know, in this scenario you will find that you are only prompted for a User Name and a Verification Code when you go to login.

    1. ADFS > Service > Authentication Methods > Edit Primary Authentication Methods
    2. Untick Azure MFA from the Extranet & Intranet options
    3. Go to the Multi-factor tab, select Azure MFA

    This will enable Azure MFA as an additional authentication method. You can then go to the Access Control Policy for you relying party or application and in the policy rules add "and require multi-factor authentication". You can do this for specific groups or from specific places, or you can do it for everyone.

    Sunday, April 30, 2017 2:19 AM
  • Hello,

    I reconfigured as You suggested and choose on Access Control Policy "require MFA". After that, when I entered AD password - my application stuck on "loading".

    As I understood from System event log, some ports to azure mfa are closed ( that strange because everything was working for me with Azure MFA as Primary Authentication?!).

    Do You know which IP's and ports to open? I can't find MS official post on it.

    Event log:

    Encountered error during federation passive request.

     

    Additional Data

     

    Protocol Name:

    OAuthAuthorizationProtocol

     

    Relying Party:

     

    Exception details:

    System.Exception: Exception calling SAS. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 40.77.21.104:443

       at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

       at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

       --- End of inner exception stack trace ---

       at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)

       at System.Net.HttpWebRequest.GetRequestStream()

       at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)

       at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)

       --- End of inner exception stack trace ---

       at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)

       at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)

       at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)

       at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)

       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

     

    System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 40.77.21.104:443

       at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

       at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

       --- End of inner exception stack trace ---

       at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)

       at System.Net.HttpWebRequest.GetRequestStream()

       at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)

       at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)

     

    System.Net.Sockets.SocketException (0x80004005): A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 40.77.21.104:443

       at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

       at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

     

     

    Sunday, April 30, 2017 7:29 AM