none
ADFS 4.0 | MFA on secondary farm server RRS feed

  • Question

  • Hello,

    i configured a ADFS 4.0 farm with two farm members with enabled Multi factor authentication.

    All requests two the primary farm server are respondig with the correct mfa response.

    If i re-route the requests two the secondary farm server only the forms authentication gets triggerd.

    I deployed the MFA Provider to all farm members and installed it in the GAC.

    When restarting the fs service on the secondary server the eventlog contains Information about loading the mfa Provider.


    • Edited by thepill1 Friday, February 3, 2017 9:38 AM
    Friday, February 3, 2017 9:38 AM

All replies

  • no one?

    If i update the secondary server to be the primary it works....

    Tuesday, February 7, 2017 10:01 AM
  • Hi Thepill1

    My first thought is that maybe you have configured your MFA to work for external authentications only and when you test against the second node, you are connecting internally?

    What is your Adfs Additional Authentication Rule?

    How are you directing authentication attempts to individual farm members? Using a hosts file?

    Are the two farm members synchronizing?

    Are there any errors generated by the MFA provider? Is it a custom MFA that you have written yourself?

    Good Luck,

    Shane

    Tuesday, February 7, 2017 7:33 PM
    Moderator
  • Hi Shane,

    thanks for your answer. Where would i configure MFA for external/internal? I only enabled it on the Multi-Factor tab.

    The authentication rule is build-in "Permit everyone and require MFA".

    I direct two the different farm members via an haproxy load balancer - but as i said this cant be the problem because if i disable the primary and redirect all traffic to the secondary it isnt working ether.

    The farm members are synchronizig. Can´t see any errors about my mfa provider. If written it by myself based on: 

    https://blogs.technet.microsoft.com/cloudpfe/2014/10/26/using-time-based-one-time-passwords-for-multi-factor-authentication-in-ad-fs-3-0/

    Edit: For your information: It also isnt working if i use the build-in mfa providers like certificat authentication.

    • Edited by thepill1 Wednesday, February 8, 2017 10:07 AM Added hint
    Wednesday, February 8, 2017 7:06 AM
  • First you enable the MFA provider. This is step 1.

    Then you create the triggers for the MFA. You can do that with the MFA policies at farm level or at the application level.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, February 10, 2017 6:22 PM
    Owner
  • First you enable the MFA provider. This is step 1.

    Then you create the triggers for the MFA. You can do that with the MFA policies at farm level or at the application level.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Hi Pierre,

    thanks for your answer but the provider is enabled and, as i said, it is already working on the primary farm server. Am i missing something crucial?

    i should also mention that i´m using the application groups.
    • Edited by thepill1 Monday, February 13, 2017 12:44 PM
    Monday, February 13, 2017 12:42 PM
  • The provider gets loaded correctly (on both servers):

    An authentication provider was successfully loaded: Identifier: 'ADFS_TOTP.Provider', Context: 'Proxy device TLS pipeline'

    Monday, February 13, 2017 1:31 PM
  • Update:

    When i change the roles (primary,secondary) and start the adfs management console the application group exists but the applications are not shown:


    if i add the missing applications i get an error that the identifier is already in use.

    Changing back the roles displays the application group correctly on the "old" primary server:

    Wednesday, February 15, 2017 11:09 AM
  • push
    Friday, February 24, 2017 3:27 PM
  • So maybe the ADFS replication is just broken? if you create a test RPT on one node, do you see it on the second?

    Replication is using the port 80 between ADFS nodes, is that open? not conflicting with another service you added?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, March 3, 2017 4:03 PM
    Owner
  • Hi Pierre,

    i traced the authentication steps within the AD FS Tracing eventlog and seein some inconsistency:

    On both Backends (teste seperatly) following Events are logged:

    1. 155 - Lists Second stage authDomain:AuthenticationMethods
    2. 155 - Provides in trace: FormsAuthentication
    3. 155 - MFA Claim Count: 0

    Moving on there is the following difference:

    On my Primary Server there will be the events

    155 - EXIT: RequiresSecondStageAuthentication

    155 - Additional authentication required triggerd by additional auth policy rules

    on the scondary Server there is no such event. Instead it loggs:

    155 - ENTER: IsStrongAuthPresentInToken


    • Edited by thepill1 Tuesday, April 18, 2017 2:18 PM
    Tuesday, April 18, 2017 2:17 PM
  • Hi Thepill1,

    I think your ADFS servers are not synchronising the database correctly. Try uninstalling ADFS from your second server and re-joining the farm.

    Or perhaps this is a bug with Application Groups - Try configuring MFA outside of the Application group and make sure the configuration change replicates.

    Good Luck!

    Shane

    Wednesday, April 19, 2017 3:19 AM
    Moderator
  • Hi Shane,

    i already reinstalled the whole farm...

    Could you give me a hint how to configure MFA outside of a application Group? What do you mean by that? I can only enable MFA in the general authentication Settings an then via a access control policy.

    Wednesday, April 19, 2017 6:05 AM
  • On primary node  New-AdfsAzureMfaTenantCertificate , it is working.

    I have verify second nod and it does not.  Error “System.Exception: Exception calling SAS. ---> System.Security.Cryptography.CryptographicException: Keyset does not exist”

    I have copy and restart tenant certificate, but it does not help.

    But fro info, I did run “New-MsolServicePrincipalCredential“ on different Server, not on ADFS. Still Investigating issue.

    Tuesday, October 10, 2017 6:45 AM