Category: MFA Server

Azure Multi-Factor Authentication Server not sending emails out for new users

Recently was troubleshooting the issue when no email is sent to the new MFA server users regardless all the configurations seems to be correct. See following official documentation for more details. 

Because Administrator was able to send the Update email to the end user, we excluded the improper SMTP server configuration.

Per MFA server Help file: New Users – An email is sent to a user added that is enabled and complete (phone specified, mobile app activated, or OATH token secret key specified), or to an updated user that was either disabled or incomplete and is now enabled and complete.

Note: Emails are only sent when Send email to users is checked and the user’s email address is specified or their username is in email address format.

Confirmed that the New user has “Send email” check box selected on the User profile General Tab and the email address is correct.

MFAnewUser

Also, by going to MFA UI – Email – Email Context confirmed all the New User templates have correct email address specified in the From field.

Checked the SMTP server logs and don’t see any email send attempt from MFA server for New User email, only connections for Update email to be send.

Time to check the MFA Server logs!

To make sure you are looking at the latest logs, go to MFA UI – Logging – View Log Files.

Looking at the MultiFactorAuthAdSyncSvc.log see following error correlating to the time when the new user was added:

2018-03-07T18:20:20.006280Z|e|2960|4036|pfadssvc|***** ERROR ***** Error sending email to NewUser@domain.com: Access to the path ‘\\FileShare\public\MFA-Instructions\MFA-Guide.pdf’ is denied.

So the Administrator used the Attachment option to send additional instructions to new users, but the File share had access restrictions preventing the MFA server Local System account reading this document.

MFAnewUser2

Solution was to either move the MFA instructions files to the MFA server or adjust the file share access permissions to allow Everyone to read the files.

Morale of the story: Read the manuals and logs, those are written by smart people 😊

Advertisements

Azure Multi-Factor Authentication Server with ADFS – EventID 105 troubleshooting. Part 2

You might already have checked for the EventID 105 error solution in my previous post.

This time the issue was similar, followed the official instructions – https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12 and when restarting the AD FS service we got the EventID 105.

Looking at the ADFS Debug logs see new error:
Log Name:      AD FS Tracing/Debug
Source:        AD FS Tracing
Date:          3/6/2018 3:03:41 PM
Event ID:      183
Task Category: None
Level:         Error
Keywords:      ExternalAuthentication
User:          XXX
Computer:      XXX
Description:
OnAuthenticationPipelineLoad() exception: System.Exception: Error connecting to Multi-Factor Authentication service. —> System.Runtime.InteropServices.SEHException: External component has thrown an exception.
   at native.construct(construct_ret_t* , __MIDL_pfAgent_idl_0009 )
   at PfSvcClientClr.PfSvcClient.construct(ConstructTarget target, ConstructResult& result)
   at pfadfs.AuthenticationAdapter.ConnectToService(ConstructTarget constructTarget, Int32 lcid)
   — End of inner exception stack trace —
   at pfadfs.AuthenticationAdapter.ConnectToService(ConstructTarget constructTarget, Int32 lcid)
   at pfadfs.AuthenticationAdapter.OnAuthenticationPipelineLoad(IAuthenticationMethodConfigData configData)
   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.

Looking at MultiFactorAuthenticationAdfsAdapter.config file closer, have noticed that the value of UseWebServiceSdk is True, so have changed it to true, re-run the Registration script and there were no errors after AD FS service restart.

Mobile app authentication with Azure Multi-Factor Authentication Server – Error calling the local authentication service troubleshooting

Customer was configuring the Mobile application authenticator portal in his new MFA server environment. One server was used to hold MFA server, MFA User portal and mobile portal roles.

Official documentation was used – https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice

All the prerequisites were met:

  • Azure Multi-Factor Authentication Web Service SDK installed;
  • Web.Config in the C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService was updated with the correct Service Account (member of “PhoneFactor Admins” Group) credentials;
  • Web Service SDK URL value updated;
  • SSL certificate bind to Mobile App Web Service website in IIS;
  • Mobile App Web Service URL was accessible from inside and outside of corporate network, no SSL errors in the browser;
  • the mobile app settings were configured in the Azure Multi-Factor Authentication Server;
  • MFA server is running latest version – 7.3.0.3.

But when the user tried to activate Mobile Authenticator app on his iOS device via MFA user portal he was getting following error:

Error calling the local authentication service. Contact your local IT administrator to resolve the problem.

IphoneMFAerror2

Trying Google Authenticator application returned following error:

Invalid barcode ‘phonefactor://activate_account?code=381470548&url=https%3a%2f%mfa.contoso.com%2fMultiFactorAuthMobileAppWebService’ is not a valid authentication token barcode. Try Again.

InkedGoogleAuthError_LI2

Decided to check the Mobile App Web Service URL using my old friend – Qualys SSL Labs.

The site was graded as B because “This server’s certificate chain is incomplete”.

An intermediate CA certificate was installed (it’s usually provided with the SSL certificate you purchase or can be downloaded from Certificate Authority support site) on MFA server (holding IIS role), but the Authenticator application still was throwing the “Error calling the local authentication error”.

As next troubleshooting made sure the Mobile App Web Service site host name on the MFA server resolves to internal MFA server IP.

After that from IIS browsed to Mobile App site and selected the TestPfWsSdkConnection link, under the Test section pressed the Invoke command and got following error:

131 – Exception calling the Web Service SDK: The underlying connection was closed: An unexpected error occurred on a receive.

Looking at the System Event logs see a lot of EventID 36871A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

It turned out that the server has TLS 1.0 protocol support disabled and that is required by MFA Web SDK (this dependency should be removed in future MFA server versions). As soon as the TLS 1.0 was enabled on the server, the users were able to configure their mobile Authenticator apps.

Azure Multi-Factor Authentication Server with ADFS – EventID 105 troubleshooting.

One of the customers was following these instructions to configure Azure MFA Server to work with ADFS – https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12

In his environment the MFA and ADFS roles were installed on separate servers (1 MFA and 2 ADFS servers with SQL database).

After carefully completing instructions, we saw following errors in the ADFS Admin logs after ADFS adapter was installed and ADFS service was restarted.

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/17/2018 10:16:59 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      AD FS
User:          XXX
Computer:      XXX
Description:
An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: AzureMfaServerAuthentication
Context: Passive protocol TLS pipeline

And

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/17/2018 10:16:59 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      AD FS
User:          XXX
Computer:      XXX
Description:
An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: AzureMfaServerAuthentication
Context: Proxy TLS pipeline

During troubleshooting performed following steps:

  • Made sure the Web Service SDK is installed on MFA server;
  • The Web Service SDK URL is accessible from MFA server and from ADFS server with the account that is specified in the MultiFactorAuthenticationAdfsAdapter.config file (no SSL certificate errors);
  • User specified in the MultiFactorAuthenticationAdfsAdapter.config file is a member of the PhoneFactor Admins domain security group;
  • Unregistered the ADFS adapter (need to do this on one ADFS server), restarted ADFS service (all ADFS servers), registered ADFS adapter again (on one ADFS server) – still the same EventID 105 error;

As a next troubleshooting step enabled ADFS debug log (open Event Viewer – check “Show Analytic and Debug Logs” under View menu – go to Applications and Services Logs – ADFS Tracing – right click on Debug log and select Enable log).

After restarting the ADFS service again, saw following EventID in the Debug logs.

Log Name:      AD FS Tracing/Debug
Source:        AD FS Tracing
Date:          1/17/2018 11:00:50 AM
Event ID:      183
Task Category: None
Level:         Error
Keywords:      ExternalAuthentication
User:          XXX
Computer:      XXX
Description:
ExternalAuthenticationHandler.OnAuthenticationPipelineLoad() exception: System.IO.InvalidDataException: Error parsing configuration data. —> System.InvalidOperationException: There is an error in XML document (3, 6). —> System.Xml.XmlException: Unexpected node type Element. ReadElementString method can only be called on elements with simple or empty content. Line 3, position 6.

Definitely something is wrong with the MultiFactorAuthenticationAdfsAdapter.configfile.

So we decided to copy the new file from \Program Files\Multi-Factor Authentication Server directory on MFA server to ADFS and carefully filled in the following fields:

UseWebServiceSdk
WebServiceSdkUrl
WebServiceSdkUsername
WebServiceSdkPassword

After that no errors in the ADFS admin logs and MFA started working as secondary authentication method!

Comparing the Bad and Good configuration files discovered the root of the issue 🙂

It was a missing “<” after word true in line <UseWebServiceSdk>true</UseWebServiceSdk> that was accidentally deleted when customer was changing “false” value to “true”.

P.S. Check my new post for other possible typos in the config file that will cause slightly different error in the ADFS Debug logs.