Tag: EventID 105

Azure Multi-Factor Authentication Server with ADFS – EventID 105 troubleshooting. Part 2

You might already have checked for the EventID 105 error solution in my previous post.

This time the issue was similar, followed the official instructions – https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12 and when restarting the AD FS service we got the EventID 105.

Looking at the ADFS Debug logs see new error:
Log Name:      AD FS Tracing/Debug
Source:        AD FS Tracing
Date:          3/6/2018 3:03:41 PM
Event ID:      183
Task Category: None
Level:         Error
Keywords:      ExternalAuthentication
User:          XXX
Computer:      XXX
Description:
OnAuthenticationPipelineLoad() exception: System.Exception: Error connecting to Multi-Factor Authentication service. —> System.Runtime.InteropServices.SEHException: External component has thrown an exception.
   at native.construct(construct_ret_t* , __MIDL_pfAgent_idl_0009 )
   at PfSvcClientClr.PfSvcClient.construct(ConstructTarget target, ConstructResult& result)
   at pfadfs.AuthenticationAdapter.ConnectToService(ConstructTarget constructTarget, Int32 lcid)
   — End of inner exception stack trace —
   at pfadfs.AuthenticationAdapter.ConnectToService(ConstructTarget constructTarget, Int32 lcid)
   at pfadfs.AuthenticationAdapter.OnAuthenticationPipelineLoad(IAuthenticationMethodConfigData configData)
   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.

Looking at MultiFactorAuthenticationAdfsAdapter.config file closer, have noticed that the value of UseWebServiceSdk is True, so have changed it to true, re-run the Registration script and there were no errors after AD FS service restart.

Advertisements

Azure Multi-Factor Authentication Server with ADFS – EventID 105 troubleshooting.

One of the customers was following these instructions to configure Azure MFA Server to work with ADFS – https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12

In his environment the MFA and ADFS roles were installed on separate servers (1 MFA and 2 ADFS servers with SQL database).

After carefully completing instructions, we saw following errors in the ADFS Admin logs after ADFS adapter was installed and ADFS service was restarted.

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/17/2018 10:16:59 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      AD FS
User:          XXX
Computer:      XXX
Description:
An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: AzureMfaServerAuthentication
Context: Passive protocol TLS pipeline

And

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/17/2018 10:16:59 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      AD FS
User:          XXX
Computer:      XXX
Description:
An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: AzureMfaServerAuthentication
Context: Proxy TLS pipeline

During troubleshooting performed following steps:

  • Made sure the Web Service SDK is installed on MFA server;
  • The Web Service SDK URL is accessible from MFA server and from ADFS server with the account that is specified in the MultiFactorAuthenticationAdfsAdapter.config file (no SSL certificate errors);
  • User specified in the MultiFactorAuthenticationAdfsAdapter.config file is a member of the PhoneFactor Admins domain security group;
  • Unregistered the ADFS adapter (need to do this on one ADFS server), restarted ADFS service (all ADFS servers), registered ADFS adapter again (on one ADFS server) – still the same EventID 105 error;

As a next troubleshooting step enabled ADFS debug log (open Event Viewer – check “Show Analytic and Debug Logs” under View menu – go to Applications and Services Logs – ADFS Tracing – right click on Debug log and select Enable log).

After restarting the ADFS service again, saw following EventID in the Debug logs.

Log Name:      AD FS Tracing/Debug
Source:        AD FS Tracing
Date:          1/17/2018 11:00:50 AM
Event ID:      183
Task Category: None
Level:         Error
Keywords:      ExternalAuthentication
User:          XXX
Computer:      XXX
Description:
ExternalAuthenticationHandler.OnAuthenticationPipelineLoad() exception: System.IO.InvalidDataException: Error parsing configuration data. —> System.InvalidOperationException: There is an error in XML document (3, 6). —> System.Xml.XmlException: Unexpected node type Element. ReadElementString method can only be called on elements with simple or empty content. Line 3, position 6.

Definitely something is wrong with the MultiFactorAuthenticationAdfsAdapter.configfile.

So we decided to copy the new file from \Program Files\Multi-Factor Authentication Server directory on MFA server to ADFS and carefully filled in the following fields:

UseWebServiceSdk
WebServiceSdkUrl
WebServiceSdkUsername
WebServiceSdkPassword

After that no errors in the ADFS admin logs and MFA started working as secondary authentication method!

Comparing the Bad and Good configuration files discovered the root of the issue 🙂

It was a missing “<” after word true in line <UseWebServiceSdk>true</UseWebServiceSdk> that was accidentally deleted when customer was changing “false” value to “true”.

P.S. Check my new post for other possible typos in the config file that will cause slightly different error in the ADFS Debug logs.