locked
ADFS 2019 w/ Azure MFA - Exception calling SAS (403) Forbidden RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We are looking to configure ADFS to use our Azure MFA so that users can log in using the codes generated by MFA.

    I followed the steps here: https://www.jasonsamuel.com/2019/04/16/how-to-use-microsoft-ad-fs-with-azure-mfa-as-primary-authentication-to-protect-user-passwords-or-take-your-company-completely-password-less/

    I do get the option to use Azure MFA when logging into the ADFS domain now, but it always fails.

    The ADFS site shows: 

    The event log on the server shows:

    Log Name:      AD FS/Admin
Source:        AD FS
Date:          10/22/2019 11:24:09 AM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          <CLEARED FOR SECURITY REASONS>
Computer:      <CLEARED FOR SECURITY REASONS>
Description:
Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
http://<FQDN>/adfs/services/trust 

Exception details: 
System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
   at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
   at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
   at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& outgoingClaims)
   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
   at Microsoft.IdentityServer.Web.Authentication.Azure.AzurePrimaryAuthenticationHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.Net.WebException: The remote server returned an error: (403) Forbidden.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
   at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
   at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS" Guid="{2ffb687a-1571-4ace-8550-47ab5ccae2bc}" />
    <EventID>364</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime="2019-10-22T16:24:09.093200500Z" />
    <EventRecordID>6723</EventRecordID>
    <Correlation ActivityID="{f087b630-fa06-4b55-1500-0080010000ec}" />
    <Execution ProcessID="3416" ThreadID="6288" />
    <Channel>AD FS/Admin</Channel>
    <Computer>ADFS.REMOVED.ORG</Computer>
    <Security UserID="S-1-5-21-276373328-123-390482200-234709" />
  </System>
  <UserData>
    <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>
        <Data>Saml</Data>
        <Data>http://removed.org/adfs/services/trust</Data>
        <Data>System.Exception: Exception calling SAS. ---&gt; System.Net.WebException: The remote server returned an error: (403) Forbidden.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
   at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
   at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]&amp; outgoingClaims)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]&amp; outgoingClaims)
   at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]&amp; outgoingClaims)
   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]&amp; adapterClaims)
   at Microsoft.IdentityServer.Web.Authentication.Azure.AzurePrimaryAuthenticationHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.Net.WebException: The remote server returned an error: (403) Forbidden.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
   at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
   at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]&amp; outgoingClaims)

</Data>
      </EventData>
    </Event>
  </UserData>
</Event>

    I've looked into this a lot, but all the help I can find online is for when a server throws a 401: Unauthorized error. Any idea why I'd be seeing this particular error? 


    Tuesday, October 22, 2019 7:29 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    I ended up having to completely rebuild the servers; we never were able to discern what caused this, but when I built a new set of ADFS servers (same OS, same patches, same domain) and transferred the data over, this error did not happen on the new ones.
    • Marked as answer by CorinTack Thursday, February 27, 2020 2:38 PM
    Thursday, February 27, 2020 2:37 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Any idea or news about this issue ?
    Thursday, February 27, 2020 2:30 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I ended up having to completely rebuild the servers; we never were able to discern what caused this, but when I built a new set of ADFS servers (same OS, same patches, same domain) and transferred the data over, this error did not happen on the new ones.
    • Marked as answer by CorinTack Thursday, February 27, 2020 2:38 PM
    Thursday, February 27, 2020 2:37 PM