Tag: Error

Azure Multi-Factor Authentication Server not sending emails out for new users

Recently was troubleshooting the issue when no email is sent to the new MFA server users regardless all the configurations seems to be correct. See following official documentation for more details. 

Because Administrator was able to send the Update email to the end user, we excluded the improper SMTP server configuration.

Per MFA server Help file: New Users – An email is sent to a user added that is enabled and complete (phone specified, mobile app activated, or OATH token secret key specified), or to an updated user that was either disabled or incomplete and is now enabled and complete.

Note: Emails are only sent when Send email to users is checked and the user’s email address is specified or their username is in email address format.

Confirmed that the New user has “Send email” check box selected on the User profile General Tab and the email address is correct.


Also, by going to MFA UI – Email – Email Context confirmed all the New User templates have correct email address specified in the From field.

Checked the SMTP server logs and don’t see any email send attempt from MFA server for New User email, only connections for Update email to be send.

Time to check the MFA Server logs!

To make sure you are looking at the latest logs, go to MFA UI – Logging – View Log Files.

Looking at the MultiFactorAuthAdSyncSvc.log see following error correlating to the time when the new user was added:

2018-03-07T18:20:20.006280Z|e|2960|4036|pfadssvc|***** ERROR ***** Error sending email to NewUser@domain.com: Access to the path ‘\\FileShare\public\MFA-Instructions\MFA-Guide.pdf’ is denied.

So the Administrator used the Attachment option to send additional instructions to new users, but the File share had access restrictions preventing the MFA server Local System account reading this document.


Solution was to either move the MFA instructions files to the MFA server or adjust the file share access permissions to allow Everyone to read the files.

Morale of the story: Read the manuals and logs, those are written by smart people 😊

Mobile app authentication with Azure Multi-Factor Authentication Server – Error calling the local authentication service troubleshooting

Customer was configuring the Mobile application authenticator portal in his new MFA server environment. One server was used to hold MFA server, MFA User portal and mobile portal roles.

Official documentation was used – https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice

All the prerequisites were met:

  • Azure Multi-Factor Authentication Web Service SDK installed;
  • Web.Config in the C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService was updated with the correct Service Account (member of “PhoneFactor Admins” Group) credentials;
  • Web Service SDK URL value updated;
  • SSL certificate bind to Mobile App Web Service website in IIS;
  • Mobile App Web Service URL was accessible from inside and outside of corporate network, no SSL errors in the browser;
  • the mobile app settings were configured in the Azure Multi-Factor Authentication Server;
  • MFA server is running latest version –

But when the user tried to activate Mobile Authenticator app on his iOS device via MFA user portal he was getting following error:

Error calling the local authentication service. Contact your local IT administrator to resolve the problem.


Trying Google Authenticator application returned following error:

Invalid barcode ‘phonefactor://activate_account?code=381470548&url=https%3a%2f%mfa.contoso.com%2fMultiFactorAuthMobileAppWebService’ is not a valid authentication token barcode. Try Again.


Decided to check the Mobile App Web Service URL using my old friend – Qualys SSL Labs.

The site was graded as B because “This server’s certificate chain is incomplete”.

An intermediate CA certificate was installed (it’s usually provided with the SSL certificate you purchase or can be downloaded from Certificate Authority support site) on MFA server (holding IIS role), but the Authenticator application still was throwing the “Error calling the local authentication error”.

As next troubleshooting made sure the Mobile App Web Service site host name on the MFA server resolves to internal MFA server IP.

After that from IIS browsed to Mobile App site and selected the TestPfWsSdkConnection link, under the Test section pressed the Invoke command and got following error:

131 – Exception calling the Web Service SDK: The underlying connection was closed: An unexpected error occurred on a receive.

Looking at the System Event logs see a lot of EventID 36871A fatal error occurred while creating a TLS client credential. The internal error state is 10013.

It turned out that the server has TLS 1.0 protocol support disabled and that is required by MFA Web SDK (this dependency should be removed in future MFA server versions). As soon as the TLS 1.0 was enabled on the server, the users were able to configure their mobile Authenticator apps.