System.NullReferenceException about adfsmfa HOT 15 CLOSED

Hi 5TimeGrandpas

First of all, thank you for this return.

Regarding your problem, I agree with you that the component should not generate a NullReferenceException. In a future update we will improve this.

The sequence in which this error occurs should never occur if the configuration was optimal.

For ADDS there are several prerequisites (see Wiki Configuration ADDS):

• if you use the attributes provided by default your ADDS schema must be in version 2012, if not you must modify these attributes at your convenience.
• the ADFS service account MUST have rights to read (default) and write (we store the users properties in ADDS). If you do not want this, you must use the SQL configuration.
• The domain controller to which ADFS is connected must be read / write (no RODC!)
• domain users must have a UPN

Can you check and possibly resolve all these points and make us a return

Best Regards

from adfsmfa.

Thanks for the reply! The last 3 points have been confirmed, but I'm not sure on the ADDS Schema. My assumption was the the ADDS version must be at least 2012, and not exactly 2012. This is a Windows Server 2016 domain, and according to the output from:
Get-ADObject (get-adrootdse).schemaNamingContext -Property objectVersion, the objectVersion is 87.

From what I've read, the previous versions are:
Windows Server 2012 Beta | 52
Windows Server 2012 | 56
Windows Server 2012 R2 | 69

Are you saying that this won't work on anything newer than 2012?

from adfsmfa.

Hi,

Yes ! at least a Windows 2012 ADDS schema for the default configuration.
But , can work with a lowest schema version, in this case you must configure the attributes see Wiki https://github.com/neos-sdi/adfsmfa/wiki/Doc2#configure-adds-mode.

For your problem, we are sure that your ADFS account doesn't have sufficient rights on ADDS to perform updates of metadata (Key, Mail, Phone, ...) for each user.

You can check with the PowerShell Cmdlet "Add-MFAUsers", in this case the Cmdlet is running Under the Interactive User.

from adfsmfa.

OK, I verified that I can successfully use Add-MFAUsers as well. The ADFS account in this lab environment is a domain administrator, so I don't think rights are an issue. Any other ideas?

from adfsmfa.

Ok,
Does the Cmdlet show a message like this : User "youraccount" has a new Enryption key ! and User "youraccount" added ! ?

If this is true, "youraccount" has been succefully registered for adfsmfa !

So, can you logon with this account ?
The secret can be displayed if you launch the MMC Snapin ("Gestion des Utilisateurs"), the Key cannot be displayed with PowerShell for security reasons.

FYI, the code used with the Add-MFAUsers Cmdlet is the same that the code used in the ADFS portal when user is asked to register. the difference ,is the account used to write on ADDS. eg : ADFS Account (domain admin) ! or your interactive account session.

If you read carefully the Wiki, you can set an account for accessing ADDS (https://github.com/neos-sdi/adfsmfa/wiki/Doc2#configure-adds-mode)
Can you set these properties : Account and Password with the credentials used in the interactive session ? for using the same credentials for ADFS access ?

from adfsmfa.

The Add-MFAUsers Cmdlet does not show a message like that above. It simply returns without error. The account is not created in AD nor is the user listed with Get-MFAUsers. I have added credentials for ADDS with Set-MFAConfigADDS and tried again. Same thing. I did notice that there is nothing in the ExternalKeyManager property of Get-MFAConfigKeys. Is that supposed to have a value?

from adfsmfa.

Hi,
Please, first test with RNG key, ExternalKeyManager is for more complex keys (RSA and Custom).
So, you can't add any user with Add-MFAUsers or via the portal.
It's difficult to diagnose your problem.
Using adfsmfa with ADDS is a common way, more than 1000 in codeplex.
I would encourage you, to switch to SQL mode, waiting your domain admins provide more informations or traces.

Regards

from adfsmfa.

I am the domain admin and have access to all logs including the ADFS Tracing Debug Logs. I first tried the SQL configuration and was getting this:
Exception details:
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationException: Must declare the scalar variable "@phonenumber".
at Neos.IdentityServer.MultiFactor.AuthenticationProvider.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)

I think at this point I will remove everything, and try this all over again from a clean slate.

from adfsmfa.

@phonenumber doesn't exists in our code.

I am annoyed, unable to help you more for the moment.
If you reconfigure ADFS, try putting your ADFS account in the admins group of the domain. This may give us some interesting informations

Regards

from adfsmfa.

Soon, we are going to publish a version with more Logs for exceptions. 2.0.1.112

Regards

from adfsmfa.

It might help to know that when I initially tried using SQL mode instead of ADDS mode, it was the BETA release that I downloaded on 8/19. That source code did include @phonenumber in:
public void SetUserRegistration(MMCRegistration reg). I'll try everything again using SQL Mode with the latest release.

from adfsmfa.

Ho ! Yes ! it's as parameter for SQL request...
So, you not provide a phone number for user registration

from adfsmfa.

OK, wait for a quick release, with more logs...

from adfsmfa.

OK, thanks!

from adfsmfa.

New version 2.0.1.112

More logging for ADDS access and SQL access.
Exceptions are posted in Eventog / Application Under number 5000

Regards

from adfsmfa.