Comments (15)
Hi 5TimeGrandpas
First of all, thank you for this return.
Regarding your problem, I agree with you that the component should not generate a NullReferenceException. In a future update we will improve this.
The sequence in which this error occurs should never occur if the configuration was optimal.
For ADDS there are several prerequisites (see Wiki Configuration ADDS):
- if you use the attributes provided by default your ADDS schema must be in version 2012, if not you must modify these attributes at your convenience.
- the ADFS service account MUST have rights to read (default) and write (we store the users properties in ADDS). If you do not want this, you must use the SQL configuration.
- The domain controller to which ADFS is connected must be read / write (no RODC!)
- domain users must have a UPN
Can you check and possibly resolve all these points and make us a return
Best Regards
from adfsmfa.
Thanks for the reply! The last 3 points have been confirmed, but I'm not sure on the ADDS Schema. My assumption was the the ADDS version must be at least 2012, and not exactly 2012. This is a Windows Server 2016 domain, and according to the output from:
Get-ADObject (get-adrootdse).schemaNamingContext -Property objectVersion, the objectVersion is 87.
From what I've read, the previous versions are:
Windows Server 2012 Beta | 52
Windows Server 2012 | 56
Windows Server 2012 R2 | 69
Are you saying that this won't work on anything newer than 2012?
from adfsmfa.
Hi,
Yes ! at least a Windows 2012 ADDS schema for the default configuration.
But , can work with a lowest schema version, in this case you must configure the attributes see Wiki https://github.com/neos-sdi/adfsmfa/wiki/Doc2#configure-adds-mode.
For your problem, we are sure that your ADFS account doesn't have sufficient rights on ADDS to perform updates of metadata (Key, Mail, Phone, ...) for each user.
You can check with the PowerShell Cmdlet "Add-MFAUsers", in this case the Cmdlet is running Under the Interactive User.
from adfsmfa.
OK, I verified that I can successfully use Add-MFAUsers as well. The ADFS account in this lab environment is a domain administrator, so I don't think rights are an issue. Any other ideas?
from adfsmfa.
Ok,
Does the Cmdlet show a message like this : User "youraccount" has a new Enryption key ! and User "youraccount" added ! ?
If this is true, "youraccount" has been succefully registered for adfsmfa !
So, can you logon with this account ?
The secret can be displayed if you launch the MMC Snapin ("Gestion des Utilisateurs"), the Key cannot be displayed with PowerShell for security reasons.
FYI, the code used with the Add-MFAUsers Cmdlet is the same that the code used in the ADFS portal when user is asked to register. the difference ,is the account used to write on ADDS. eg : ADFS Account (domain admin) ! or your interactive account session.
If you read carefully the Wiki, you can set an account for accessing ADDS (https://github.com/neos-sdi/adfsmfa/wiki/Doc2#configure-adds-mode)
Can you set these properties : Account and Password with the credentials used in the interactive session ? for using the same credentials for ADFS access ?
from adfsmfa.
The Add-MFAUsers Cmdlet does not show a message like that above. It simply returns without error. The account is not created in AD nor is the user listed with Get-MFAUsers. I have added credentials for ADDS with Set-MFAConfigADDS and tried again. Same thing. I did notice that there is nothing in the ExternalKeyManager property of Get-MFAConfigKeys. Is that supposed to have a value?
from adfsmfa.
Hi,
Please, first test with RNG key, ExternalKeyManager is for more complex keys (RSA and Custom).
So, you can't add any user with Add-MFAUsers or via the portal.
It's difficult to diagnose your problem.
Using adfsmfa with ADDS is a common way, more than 1000 in codeplex.
I would encourage you, to switch to SQL mode, waiting your domain admins provide more informations or traces.
Regards
from adfsmfa.
I am the domain admin and have access to all logs including the ADFS Tracing Debug Logs. I first tried the SQL configuration and was getting this:
Exception details:
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationException: Must declare the scalar variable "@phonenumber".
at Neos.IdentityServer.MultiFactor.AuthenticationProvider.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
I think at this point I will remove everything, and try this all over again from a clean slate.
from adfsmfa.
@phonenumber doesn't exists in our code.
I am annoyed, unable to help you more for the moment.
If you reconfigure ADFS, try putting your ADFS account in the admins group of the domain. This may give us some interesting informations
Regards
from adfsmfa.
Soon, we are going to publish a version with more Logs for exceptions. 2.0.1.112
Regards
from adfsmfa.
It might help to know that when I initially tried using SQL mode instead of ADDS mode, it was the BETA release that I downloaded on 8/19. That source code did include @phonenumber in:
public void SetUserRegistration(MMCRegistration reg). I'll try everything again using SQL Mode with the latest release.
from adfsmfa.
Ho ! Yes ! it's as parameter for SQL request...
So, you not provide a phone number for user registration
from adfsmfa.
OK, wait for a quick release, with more logs...
from adfsmfa.
OK, thanks!
from adfsmfa.
New version 2.0.1.112
More logging for ADDS access and SQL access.
Exceptions are posted in Eventog / Application Under number 5000
Regards
from adfsmfa.
Related Issues (20)
- Error: The referenced component 'Microsoft.IdentityServer.Aad.Sas' could not be found HOT 3
- Error: the type or namespace 'Public' does not exist in Microsoft.IdentityServer HOT 2
- MFA fails to retrieve security descriptors - causes error "must be executed with ADFS administration rights granted" HOT 10
- Missing servers in GUI HOT 3
- Temporary error upon first time TOTP registration HOT 6
- Error decrypting - Crytographic error for user HOT 6
- MFA Registration Error HOT 9
- MFA registration error HOT 4
- MFA Self registration error HOT 1
- Login error HOT 7
- Self-registration for MFA was denied. HOT 2
- Adfs wap issue HOT 34
- MFA Login is denied - Password expired HOT 2
- Disable automatic User Import HOT 11
- Fresh install breaks ADFS completely (adfssrv fails to start: error code 1067) HOT 9
- Prevent forrest wide User Lookup? (MMC and cmdlet long loading time) HOT 2
- MFA Not working on clustered ADFS with MDA HOT 5
- Unable to update e-mail Templates HOT 2
- Issue sending email - requires tls 1.2 HOT 4
- Timeouts if primary ADFS member is not online (Event ID 2011/1011) HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from adfsmfa.