Month: January 2018

Query Supercell Clash of Clans API with PowerShell

This is pretty simple example how to query Clash Of Clans API with PowerShell.

First you need to create your account at https://developer.clashofclans.com/#/

Second you need to generate new key ($APIKey) for your IP address.

You can use the Documentation section to get the URL variable depending on what exact info you want to pull.

Get clan members list:

#Get members
$APIkey = ""
$url = "https://api.clashofclans.com/v1/clans/%239yQRPL2C/members"
$headers = @{Authorization = "Bearer:$APIkey"}
$membersList = Invoke-RestMethod -Uri $url -Headers $headers
$membersList

 

Advertisements

ADFS – MSIS7012 and MSIS8006 errors

Issue symptom

Some of the federated users are not able to sign in Office 365 portal. In ADFS Admin logs see EventID 111 and 364 with following error message:

Protocol Name:
wsfed

Relying Party:
urn:federation:MicrosoftOnline

Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. —> Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS8006: Query on Active Directory Account for identity ‘XXX’ returned empty attribute values.

There might be two possible root causes of the issue (those I know about so far 😊 ).

1.      On premises Active Directory User object or OU the user object is located at has ACL preventing ADFS service account reading the User objects attributes (most likely the List Object permissions are missing).

2.      There is an issue with Domain Controllers replication.

For the first one, understand the scope of the effected users, try moving user object to not effected OU and see if the sign in is successful. Compare OU ACLs for working and not working OUs and add missing permissions.

For the second one, start with this article – How To Diagnose Active Directory Replication Failures- https://support.microsoft.com/en-us/help/2498185/how-to-diagnose-active-directory-replication-failures

Mobile app authentication with Azure Multi-Factor Authentication Server – Error calling the local authentication service troubleshooting

Customer was configuring the Mobile application authenticator portal in his new MFA server environment. One server was used to hold MFA server, MFA User portal and mobile portal roles.

Official documentation was used – https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice

All the prerequisites were met:

  • Azure Multi-Factor Authentication Web Service SDK installed;
  • Web.Config in the C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService was updated with the correct Service Account (member of “PhoneFactor Admins” Group) credentials;
  • Web Service SDK URL value updated;
  • SSL certificate bind to Mobile App Web Service website in IIS;
  • Mobile App Web Service URL was accessible from inside and outside of corporate network, no SSL errors in the browser;
  • the mobile app settings were configured in the Azure Multi-Factor Authentication Server;
  • MFA server is running latest version – 7.3.0.3.

But when the user tried to activate Mobile Authenticator app on his iOS device via MFA user portal he was getting following error:

Error calling the local authentication service. Contact your local IT administrator to resolve the problem.

IphoneMFAerror2

Trying Google Authenticator application returned following error:

Invalid barcode ‘phonefactor://activate_account?code=381470548&url=https%3a%2f%mfa.contoso.com%2fMultiFactorAuthMobileAppWebService’ is not a valid authentication token barcode. Try Again.

InkedGoogleAuthError_LI2

Decided to check the Mobile App Web Service URL using my old friend – Qualys SSL Labs.

The site was graded as B because “This server’s certificate chain is incomplete”.

An intermediate CA certificate was installed (it’s usually provided with the SSL certificate you purchase or can be downloaded from Certificate Authority support site) on MFA server (holding IIS role), but the Authenticator application still was throwing the “Error calling the local authentication error”.

As next troubleshooting made sure the Mobile App Web Service site host name on the MFA server resolves to internal MFA server IP.

After that from IIS browsed to Mobile App site and selected the TestPfWsSdkConnection link, under the Test section pressed the Invoke command and got following error:

131 – Exception calling the Web Service SDK: The underlying connection was closed: An unexpected error occurred on a receive.

Looking at the System Event logs see a lot of EventID 36871A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

It turned out that the server has TLS 1.0 protocol support disabled and that is required by MFA Web SDK (this dependency should be removed in future MFA server versions). As soon as the TLS 1.0 was enabled on the server, the users were able to configure their mobile Authenticator apps.

RelayState support for AD FS 2016 in the mixed mode ADFS farm

You might experience issues if you are migrating from AD FS 3.0 farm level to AD FS 2016 by gradually introducing AD FS 2016 servers in the farm (running farm in the mixed mode) and if you are using IdP initiated RelayState.

NOTE: the mixed mode is not recommended for production, it was designed to make transition from AD FS 3.0 to AD FS 2016 smoother. 

You can view the AD FS Farm Behavior Level by running following command:  

Get-AdfsProperties | Select CurrentFarmBehavior

A value of 1 indicates that the farm is at the Windows Server 2012 R2 FBL and a value of 3 indicates a Windows Server 2016 FBL.

For the Windows Server 2016 FBL you can enable RelayState support by issuing following command:

Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $True

You might also need to enable IdPInitiatedSignOn page on each AD FS 2016 server. Its disabled by default.

Set-AdfsProperties -EnableIdpInitiatedSignonPage $True

But mentioned two commands will not work for Windows Server 2012 R2 FBL.

If you have AD FS 2016 servers in the AD FS 3.0 farm (farm in the mixed mode), you have to use C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe.Config file to enable RelayState support.

In the microsoft.identityServer.web section, add a line for useRelyStateForIdpInitiatedSignOn as follows, and save the change:

<microsoft.identityServer.web>    

 <useRelayStateForIdpInitiatedSignOn enabled="true" />    

</microsoft.identityServer.web>

NOTE: you must have 2018-01 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4057142) (for some reason the update description is missing RelayState fix description) installed on each ADFS 2016 server to make it work. Otherwise you will get following errors after making changes in the config file and restarting the ADFS service.  

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/18/2018 11:57:43 AM
Event ID:      383
Task Category: None
Level:         Error
Keywords:      AD FS
User:          XXX
Computer:      XXX
Description:
The Web request failed because the web.config file is malformed.
User Action:
Fix the malformed data in the web.config file.
Exception details:
MSIS2008: A configuration error has occurred in section ‘microsoft.identityServer.web’.
Unrecognized element ‘useRelayStateForIdpInitiatedSignOn’. (C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe.Config line 37)

 

 And

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/18/2018 11:57:43 AM
Event ID:      102
Task Category: None
Level:         Error
Keywords:      AD FS
User:          XXX
Computer:      XXX
Description:
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Additional Data
Exception details:
System.Configuration.ConfigurationErrorsException: MSIS2008: A configuration error has occurred in section ‘microsoft.identityServer.web’. —> System.Configuration.ConfigurationErrorsException: Unrecognized element ‘useRelayStateForIdpInitiatedSignOn’. (C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe.Config line 37)
at System.Configuration.BaseConfigurationRecord.EvaluateOne(String[] keys, SectionInput input, Boolean isTrusted, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult)
at System.Configuration.BaseConfigurationRecord.Evaluate(FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult, Boolean getLkg, Boolean getRuntimeObject, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)
at System.Configuration.ConfigurationManager.GetSection(String sectionName)
at Microsoft.IdentityServer.Configuration.ConfigurationSectionLoader`1.GetSection()
— End of inner exception stack trace —
at Microsoft.IdentityServer.Configuration.ConfigurationSectionLoader`1.GetSection()
at Microsoft.IdentityServer.Web.Configuration.FederationPassiveConfigurationSection.get_Current()
at Microsoft.IdentityServer.Web.PassiveProtocolListener.LoadProtocolHandlers()
at Microsoft.IdentityServer.Web.PassiveProtocolListener.InitializePipeline()
at Microsoft.IdentityServer.Web.PassiveProtocolListener.Start()
at Microsoft.IdentityServer.ServiceHost.STSService.OnStartInternal(Boolean requestAdditionalTime)

 

Azure Multi-Factor Authentication Server with ADFS – EventID 105 troubleshooting.

One of the customers was following these instructions to configure Azure MFA Server to work with ADFS – https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12

In his environment the MFA and ADFS roles were installed on separate servers (1 MFA and 2 ADFS servers with SQL database).

After carefully completing instructions, we saw following errors in the ADFS Admin logs after ADFS adapter was installed and ADFS service was restarted.

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/17/2018 10:16:59 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      AD FS
User:          XXX
Computer:      XXX
Description:
An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: AzureMfaServerAuthentication
Context: Passive protocol TLS pipeline

And

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/17/2018 10:16:59 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      AD FS
User:          XXX
Computer:      XXX
Description:
An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: AzureMfaServerAuthentication
Context: Proxy TLS pipeline

During troubleshooting performed following steps:

  • Made sure the Web Service SDK is installed on MFA server;
  • The Web Service SDK URL is accessible from MFA server and from ADFS server with the account that is specified in the MultiFactorAuthenticationAdfsAdapter.config file (no SSL certificate errors);
  • User specified in the MultiFactorAuthenticationAdfsAdapter.config file is a member of the PhoneFactor Admins domain security group;
  • Unregistered the ADFS adapter (need to do this on one ADFS server), restarted ADFS service (all ADFS servers), registered ADFS adapter again (on one ADFS server) – still the same EventID 105 error;

As a next troubleshooting step enabled ADFS debug log (open Event Viewer – check “Show Analytic and Debug Logs” under View menu – go to Applications and Services Logs – ADFS Tracing – right click on Debug log and select Enable log).

After restarting the ADFS service again, saw following EventID in the Debug logs.

Log Name:      AD FS Tracing/Debug
Source:        AD FS Tracing
Date:          1/17/2018 11:00:50 AM
Event ID:      183
Task Category: None
Level:         Error
Keywords:      ExternalAuthentication
User:          XXX
Computer:      XXX
Description:
ExternalAuthenticationHandler.OnAuthenticationPipelineLoad() exception: System.IO.InvalidDataException: Error parsing configuration data. —> System.InvalidOperationException: There is an error in XML document (3, 6). —> System.Xml.XmlException: Unexpected node type Element. ReadElementString method can only be called on elements with simple or empty content. Line 3, position 6.

Definitely something is wrong with the MultiFactorAuthenticationAdfsAdapter.configfile.

So we decided to copy the new file from \Program Files\Multi-Factor Authentication Server directory on MFA server to ADFS and carefully filled in the following fields:

UseWebServiceSdk
WebServiceSdkUrl
WebServiceSdkUsername
WebServiceSdkPassword

After that no errors in the ADFS admin logs and MFA started working as secondary authentication method!

Comparing the Bad and Good configuration files discovered the root of the issue 🙂

It was a missing “<” after word true in line <UseWebServiceSdk>true</UseWebServiceSdk> that was accidentally deleted when customer was changing “false” value to “true”.

P.S. Check my new post for other possible typos in the config file that will cause slightly different error in the ADFS Debug logs.  

Hello Blog World!

Hello Blog World!

Hello Blog World!

Finally found some time and courage to start my IT blog.

I believe that during 10+ years in IT, I have gained some knowledge and experience that I hope to share via my blog and hopefully some of the notes will help somebody one day.

Let the fun journey begin!

Sergii Cherkashyn