Customer was configuring the Mobile application authenticator portal in his new MFA server environment. One server was used to hold MFA server, MFA User portal and mobile portal roles.
Official documentation was used – https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice
All the prerequisites were met:
- Azure Multi-Factor Authentication Web Service SDK installed;
- Web.Config in the C:\inetpub\wwwroot\MultiFactorAuthMobileAppWebService was updated with the correct Service Account (member of “PhoneFactor Admins” Group) credentials;
- Web Service SDK URL value updated;
- SSL certificate bind to Mobile App Web Service website in IIS;
- Mobile App Web Service URL was accessible from inside and outside of corporate network, no SSL errors in the browser;
- the mobile app settings were configured in the Azure Multi-Factor Authentication Server;
- MFA server is running latest version – 188.8.131.52.
But when the user tried to activate Mobile Authenticator app on his iOS device via MFA user portal he was getting following error:
Error calling the local authentication service. Contact your local IT administrator to resolve the problem.
Trying Google Authenticator application returned following error:
Invalid barcode ‘phonefactor://activate_account?code=381470548&url=https%3a%2f%mfa.contoso.com%2fMultiFactorAuthMobileAppWebService’ is not a valid authentication token barcode. Try Again.
Decided to check the Mobile App Web Service URL using my old friend – Qualys SSL Labs.
The site was graded as B because “This server’s certificate chain is incomplete”.
An intermediate CA certificate was installed (it’s usually provided with the SSL certificate you purchase or can be downloaded from Certificate Authority support site) on MFA server (holding IIS role), but the Authenticator application still was throwing the “Error calling the local authentication error”.
As next troubleshooting made sure the Mobile App Web Service site host name on the MFA server resolves to internal MFA server IP.
After that from IIS browsed to Mobile App site and selected the TestPfWsSdkConnection link, under the Test section pressed the Invoke command and got following error:
131 – Exception calling the Web Service SDK: The underlying connection was closed: An unexpected error occurred on a receive.
Looking at the System Event logs see a lot of EventID 36871 – A fatal error occurred while creating a TLS client credential. The internal error state is 10013.
It turned out that the server has TLS 1.0 protocol support disabled and that is required by MFA Web SDK (this dependency should be removed in future MFA server versions). As soon as the TLS 1.0 was enabled on the server, the users were able to configure their mobile Authenticator apps.