Invalid identification, please restart your session. about adfsmfa HOT 6 CLOSED

Hello xeonkepper.

Yes, it seems your configuration is right.
there's an issue, related to this feature #29.
the problem occurs if the adfs externalLockout is not enabled.
As quick work around you can enable external lockout on your ADFS Farm.

Enabling External Lockout :
Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 3 -ExtranetObservationWindow (new-timespan -Minutes 30)

Disabling External Lockout :
Set-AdfsProperties -EnableExtranetLockout $False

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection

from adfsmfa.

Thanks! That helped me.
I've got one more question. Can i use SQL mode, and auto-create users with first logon with his "mail", "phone", "UPN" properties from AD?
When i use import from active directory and paste "DistinguishedName" "OU=users,DC=company,DC=com" MMC freezes and nothing happens (we have about 6000 users accounts).

from adfsmfa.

Yes, your users can register themselves, provided they have selected as a template in the MMC "Default Template".

For import from Active Directory, new things are planned in future releases. Can you confirm that with less than 6000 users the import works.
Using the database to store users (SQL Mode), some tests with 450,000 users were made without any worries.

Regards

from adfsmfa.

Now i'm tested AD import. After click ok button to import processor loaded in 95% and users creating in database, but not displayed in MMC. Another strange thing that in database only 1000 entries. Seems like a limitation LDAP query. And when after that i try to manualy create user i receive message "User "[email protected]" Exists !
Try to workaround this issue, but Add-MFAUsers cmdled not working(
Add-MFAUsers -Identity [email protected] -MailAddress [email protected] -PhoneNumber +712345678 -Method Email -Enabled -Verbose
Error adding user "[email protected]" \r The parameterized query '(@upn varchar(16),@mailaddress varchar(16),@phonenumber varchar(' expects the parameter '@ov
ERRIDE', which was not supplied.

from adfsmfa.

Yes, By default LDAP queries results are limited to 1000.
It's possible to bypass this behavior, but How Many ? we will put a new parameter for that in future beta.

Yes, bug with ommited parameter in cmdlet Add-MFAUsers.

If your user exists in the database, your must use Set-MFAUsers cmdlet, not Add-MFAUsers.
If You don't see any users after import in MMC, it's because the view is filtered, disabled users are invisible until you clear the filter. You can also use Get-MFAUsers with adequate parameters.
Until the account is enabled, the user cannot use MFA and perhaps access is denied depending of the policy settings.

Remember, that the actual version is a beta version, so, you must limit the use for testing and not for production.

Wait a little bit for new version

Regards

from adfsmfa.

New beta 2.2.0.34

from adfsmfa.