none
ADFS 2019 w/ Azure MFA - Exception calling SAS (403) Forbidden RRS feed

  • Question

  • We are looking to configure ADFS to use our Azure MFA so that users can log in using the codes generated by MFA.

    I followed the steps here: https://www.jasonsamuel.com/2019/04/16/how-to-use-microsoft-ad-fs-with-azure-mfa-as-primary-authentication-to-protect-user-passwords-or-take-your-company-completely-password-less/

    I do get the option to use Azure MFA when logging into the ADFS domain now, but it always fails.

    The ADFS site shows: 

    The event log on the server shows:

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          10/22/2019 11:24:09 AM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          <CLEARED FOR SECURITY REASONS>
    Computer:      <CLEARED FOR SECURITY REASONS>
    Description:
    Encountered error during federation passive request. 
    
    Additional Data 
    
    Protocol Name: 
    Saml 
    
    Relying Party: 
    http://<FQDN>/adfs/services/trust 
    
    Exception details: 
    System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden.
       at System.Net.HttpWebRequest.GetResponse()
       at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
       at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
       at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
       at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& outgoingClaims)
       at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
       at Microsoft.IdentityServer.Web.Authentication.Azure.AzurePrimaryAuthenticationHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    
    System.Net.WebException: The remote server returned an error: (403) Forbidden.
       at System.Net.HttpWebRequest.GetResponse()
       at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
       at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
       at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
    
    
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2ffb687a-1571-4ace-8550-47ab5ccae2bc}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2019-10-22T16:24:09.093200500Z" />
        <EventRecordID>6723</EventRecordID>
        <Correlation ActivityID="{f087b630-fa06-4b55-1500-0080010000ec}" />
        <Execution ProcessID="3416" ThreadID="6288" />
        <Channel>AD FS/Admin</Channel>
        <Computer>ADFS.REMOVED.ORG</Computer>
        <Security UserID="S-1-5-21-276373328-123-390482200-234709" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>Saml</Data>
            <Data>http://removed.org/adfs/services/trust</Data>
            <Data>System.Exception: Exception calling SAS. ---&gt; System.Net.WebException: The remote server returned an error: (403) Forbidden.
       at System.Net.HttpWebRequest.GetResponse()
       at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
       at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
       at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]&amp; outgoingClaims)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]&amp; outgoingClaims)
       at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]&amp; outgoingClaims)
       at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]&amp; adapterClaims)
       at Microsoft.IdentityServer.Web.Authentication.Azure.AzurePrimaryAuthenticationHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    
    System.Net.WebException: The remote server returned an error: (403) Forbidden.
       at System.Net.HttpWebRequest.GetResponse()
       at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
       at Microsoft.IdentityServer.Aad.Sas.RealSasProvider.GetAvailableAuthenticationMethods(GetAvailableAuthenticationMethodsRequest request)
       at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]&amp; outgoingClaims)
    
    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

    I've looked into this a lot, but all the help I can find online is for when a server throws a 401: Unauthorized error. Any idea why I'd be seeing this particular error? 


    Tuesday, October 22, 2019 7:29 PM