An error occurred when prompt for TOTP code should appear about adfsmfa HOT 16 CLOSED

Hi,

It seems related to writing in the EventLog, perhaps ADFS account have no rights to create EventLog sources or categories.
Try to put your ADFS account as local Admin, restart ADFS. and look if EventLog entries are created correctly.

Let us know if Eventlog Entries under "Application" are correctly created

Regards

from adfsmfa.

Hi,

It seems that your ADFS account don't have the right to write in your Active Directory.
Using Active Directory mode is the default, but we recommend in this case to use the SQL Server configuration.
Remember that the ADFS account in this case, when creating a Databse must be dbowner, dbCreator, securityadmin.
You can use the MMC, to change the behavior and create the database, you can also use PowerShell.

See the Wiki, to adjust your config.

Regards

from adfsmfa.

Hi Redhook62,

Thanks for the quick reply. I've done what you asked and made the service account the ADFS services run on a local administrator and rebooted the servers to be sure it would take.

After that I seem to get a different error in the ADFS logs for ADFS.

START EVENT VIEWER DETAILS

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
http://azureservices/TenantSite

Exception details:
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationException: <TRUNCATED_EMAIL_ADDRESS> : Access is denied.

at Neos.IdentityServer.MultiFactor.AuthenticationProvider.TryChooseMethod(AuthenticationContext usercontext, IAuthenticationContext context, IProofData proofData, HttpListenerRequest request, Claim[]& claims)
at Neos.IdentityServer.MultiFactor.AuthenticationProvider.TryEndAuthentication(IAuthenticationContext context, IProofData proofData, HttpListenerRequest request, Claim[]& claims)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

END EVENT VIEWER DETAILS

It states that Access is Denied, but I still have not been prompted to fill in a code. Where I would expect to have a box to fill in the code it says again the same error message "An error occurred. Contact your administrator for more information."

[edit 1]
We use ADFS in front of Azure Pack Tenant site. ADFS with AD authentication works with the tenant site including group base access filtering. Not sure if this information is interessting, but I wanted to at least mention it.
[/edit 1]

Regards

from adfsmfa.

Hi RedHook62,

Installing an SQL server is not a option for us at this moment. We have configured ADFSMFA to use RSA 2048 and have generated a certificate using the snapin. For a test I've given the Service Account for ADFS Domain Admin rights and that seemed to have solved the problem. We do get a Code prompt now which is great!.

However.... the code that gets generated in the authenticator applications doens't work. I get an error saying the code is invalid "Invalid identification, please restart your session.". I've done some changes by going back to default key lenght of 1024 and RNG 512 instead of RSA. Generated a new key with this, checked that the ADD object is stored on the user and added the shared secret using QR code in the authenticator app. We have tested it with FreeOTP, Google Authenticator and Microsoft Authenticator and all give the same result. The Event viewer tells us the same that the identification vailed, but again I'm unable to find where the issue is.

We appriciate the really quick responses your giving and the feedback has been very usefull. I'm almost there in getting it to work and we would be really happy if it does work as the application looks very solid and provides us what we need.

START EVENT VIEWER DETAILS

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
http://azureservices/TenantSite

Exception details:
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationException: <TRUNCATED_EMAIL_ADDRESS> : Invalid identification, please restart your session.
at Neos.IdentityServer.MultiFactor.AuthenticationProvider.TryLocking(AuthenticationContext usercontext, IAuthenticationContext context, IProofData proofData, HttpListenerRequest request, Claim[]& claims)
at Neos.IdentityServer.MultiFactor.AuthenticationProvider.TryEndAuthentication(IAuthenticationContext context, IProofData proofData, HttpListenerRequest request, Claim[]& claims)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

END EVENT VIEWER DETAILS

Regards.

from adfsmfa.

Hi,

When you change form RNG to RSA, all the old codes are becoming invalid.
So, you must at first verify with email.
After gen new Keys for your test user with MMC or PowerShell and scan your QRCode.

Regards

from adfsmfa.

Yes I did generate new codes after switches and scanned that new QR code. I dont know what you mean with verify with email. Am I missing a step?

Regards

from adfsmfa.

Hi,
Have you an UPN in your claims ?
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn is a prerequisite.
If not you coul map your email to this claims.

With mail, when you use "receive a code by mail", can you login without problems ?

Othewise can you post your configuration file (anonymized of course)

from adfsmfa.

Hi,

The URL you provided does not work atm. I looked up at Microsoft what you meant by this and we should have this is place as the Azure Pack Tenant site also requires UPN claims.
Did you mean this? https://msdn.microsoft.com/en-us/library/microsoft.identitymodel.claims.claimtypes.upn.aspx

We use LDAP UPN and LDAP Group and also passthrough all attirbutes to the relying party.

I've been trying to send key by email, but that doesn't work for me from the snapin and have yet to find where I can do this in Powershell. The test email is received correctly on the email configartion section of the ADFSMFA software.

I've also tried to set KeySize RSA back to 1024 to see if the truncating of the key might be the cause, but that didn't make a difference.

Also deleted the accounts from the ADFSMFA and reinstalled the RSA-Certificate (cleaned up the old one from the Computer Cert store). In the documentation it mentions that the key should be imported into ADFS. I've looked at the Certficates folder in ADFS but only see the other certificates in there. Restarting the farm doesn't solve it either. Not sure if i'm looking in the right place.

What configuration do you want me to send to you so you can have a look at where this is going wrong?

Regards.

from adfsmfa.

Hi,

Here is the configuration of all the Get commands from ADFSMFA and some details on configuration of the ADFS environment. I've truncated all information I think is not supposed to be on the net. Have you gotten any more help for me to get this last bit working?

START ADFSMFA CONFIG

PS C:\Windows\system32> Get-MFAComputers

FQDN : TRUNCATED.DOMAIN.EXT
BehaviorLevel : 3
HeartbeatTmeStamp : 3/29/2018 4:04:00 PM
NodeType : PrimaryComputer
CurrentVersion : 6.3
ProductName : Windows Server 2016 Datacenter
InstallationType : Server
CurrentBuild : 14393
CurrentMajorVersionNumber : 10
CurrentMinorVersionNumber : 0
MachineName : TRUNCATED

FQDN : TRUNCATED.DOMAIN.EXT
BehaviorLevel : 3
HeartbeatTmeStamp : 3/29/2018 4:01:00 PM
NodeType : SecondaryComputer
CurrentVersion : 6.3
ProductName : Windows Server 2016 Datacenter
InstallationType : Server
CurrentBuild : 14393
CurrentMajorVersionNumber : 10
CurrentMinorVersionNumber : 0
MachineName : TRUNCATED

PS C:\Windows\system32> Get-MFAConfig

RefreshScan : 3000
DeliveryWindow : 300
TOTPShadows : 2
MailEnabled : False
SMSEnabled : False
AppsEnabled : True
Algorithm : SHA1
Issuer : TRUNCATED
UseActiveDirectory : True
CustomUpdatePassword : True
DefaultCountryCode : us
AdminContact : [email protected]
UserFeatures : AllowProvideInformations, AdministrativeMode
AdvertisingDays : Neos.IdentityServer.MultiFactor.ConfigAdvertising

PS C:\Windows\system32> Get-MFAConfigADDS

Account :
DomainAddress :
KeyAttribute : msDS-cloudExtensionAttribute10
MailAttribute : msDS-cloudExtensionAttribute11
MethodAttribute : msDS-cloudExtensionAttribute13
NotifCheckDateAttribute : msDS-cloudExtensionAttribute16
NotifCreateDateAttribute : msDS-cloudExtensionAttribute14
NotifValidityAttribute : msDS-cloudExtensionAttribute15
Password :
PhoneAttribute : msDS-cloudExtensionAttribute12
TOTPAttribute : msDS-cloudExtensionAttribute17
TOTPEnabledAttribute : msDS-cloudExtensionAttribute18

PS C:\Windows\system32> Get-MFAConfigKeys

KeyGenerator : ClientSecret512
KeySize : KeySize1024
KeyFormat : RSA
CertificateThumbprint : TRUNCATED
CertificateValidity : 90
ExternalKeyManager : Neos.IdentityServer.MultiFactor.Administration.PSExternalKeyManager

PS C:\Windows\system32> Get-MFAConfigMails

From : [email protected]
UserName : [email protected]
Password : TRUNCATED
Host : TRUNCATED
Port : 587
UseSSL : True
Company : TRUNCATED
MailOTP : Neos.IdentityServer.MultiFactor.Administration.PSConfigMailFileNames
MailInscription : Neos.IdentityServer.MultiFactor.Administration.PSConfigMailFileNames
MailSecureKey : Neos.IdentityServer.MultiFactor.Administration.PSConfigMailFileNames

PS C:\Windows\system32> Get-MFAConfigSQL

ConnectionString
Password=yourpassword;Persist Security Info=True;User ID=yoursqlusername;Initial Catalog=yourdatabasename;Data Source=yours...

PS C:\Windows\system32> Get-MFAExternalOTPProvider

Company : Contoso
Sha1Salt : TRUNCATED
FullQualifiedImplementation : Neos.IdentityServer.Multifactor.SMS.SMSCall, Neos.IdentityServer.Multifactor.SMS.Azure,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=TRUNCATED
Parameters : #cdata-section
IsTwoWay : False
Timeout : 300

PS C:\Windows\system32> Get-MFAFarmInformation

IsInitialized CurrentFarmBehavior FarmIdentifier Servers
True 3 http://TRUNCATED/adfs/services/trust {Windows Server 2016 Datacenter, Windows Serv...

PS C:\Windows\system32> Get-MFAUsers

ID : 137567e3-c342-45cd-98f3-4bee28feb3be
UPN : [email protected]
MailAddress : [email protected]
PhoneNumber :
Enabled : True
CreationDate : 1/25/2018 12:12:16 PM
PreferredMethod : Code

END ADFSMFA CONFIG

START ADFS CONFIG

• Get-AdfsCertificate : This command does not show the MFA certificate which I would expect as the documentation says it imports it. Or is it stored somewhere else?

redhook
Yes, it's normal if you are in AutoCertificateRollover in ADFS configuration.
When true, we can't add new certificates, and you must apdate you relying party every year when ADFS create new Signin and crypting certs. Adding RSA certificate in ADFS database store, was made to sync the cert between all servers in the ADFS farm. (of sure we are thinking to change this feature.
Sync configuration between server farm is not straightforward. When you are using ADFS SQL Mode, there's no need to sync, if not, sync occurs every 5 minutes by default.
There's no problem, if you can found the RSA certificate in the machine's certificate store under personnal node, if you have multiple ADFS servers you must install the certificate on each machine
end

• The UPN Claims shows in the claim description as being published both ways.
• Under Authentication Method -> Multi-factor the "Multi Factor Authentication Extension" is enabled
• The Access Control Policy assigned to relying party trust we use has the following rule: Permit users from a specific group and require mfa.
• The Relying Party Trust has 4 claims in the issuance transform rules. The following claims are issued: (LDAP) User-Principal-Name -> UPN, (LDAP) Token-Groups - Qualified by Domain Name -> Group, (Passthrough) UPN -> All Claims, (Passthrough) Group -> All Claims
• Claims Provider Trust is AD and has a longer list of claims, but also has the four claims from relying party trust. So: (LDAP) User-Principal-Name -> UPN, (LDAP) Token-Groups - Qualified by Domain Name -> Group, (Passthrough) UPN -> All Claims, (Passthrough) Group -> All Claims

END ADFS CONFIG

from adfsmfa.

Hi,
Have you an UPN in your claims ?
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn is a prerequisite.
If not you coul map your email to this claims.
With mail, when you use "receive a code by mail", can you login without problems ?
Othewise can you post your configuration file (anonymized of course)

OK, I suddenly understood what you meant with email system. I'm able to login using MFA when I send the code by email. But not when I use the Authentictor App. Any clue why that is? We would prefer the authenticator app method.

Ragards.

from adfsmfa.

Hi,,
Thanks for all these informations.
I'm in holidays until next monday.
I will test with your config as soon as it will be possible for me.

Regards

from adfsmfa.

Thank, will wait till next week then. Have a nice holiday :)

from adfsmfa.

Hi,

We have tested, based on all your informations you provide.
But bad news, we don't find some problems.
Tested on Windows 2012R2 and 2016.

Please can you run Export-MFASystemConfiguration -ExportFilePath C:\temp\export.xml
After, edit the file and remove all passwords.

I will send you a direct email,, so you can post to us your configuration.

The last thing we can do after, is to remote your server (RDP)

Regards

from adfsmfa.

Thank you very much. I've send you the export.xml file.

from adfsmfa.

For all,

The problem is fixed.
The ADFS Servers were not sync correctly with timestamp.

Regards

from adfsmfa.

Communication was done by email to solve the issue. The reaseon authentication worked correctly on the email codes and not on the authenticator apps was due to a time synchronisation issue on the ADFS systems. The time was more then 1,30 minutes out and caused authentication errors. Fixing the time, fixed the authenticator app.

Thanks Redhook62 for a great product and great support!
This issue can be closed now.

from adfsmfa.