Administrative contact (email) field does not update in MFA console about adfsmfa HOT 9 CLOSED

Have more informations ? we can't reproduce this problem.

from adfsmfa.

I am not sure, but the console is not stable, especially changing the "Security configuration".
RNG mode is no problem, but when I tried to use RSA mode and press "new certificate" button, the console will be no response for a moment and then an exception message has been popped up. I also tried to input the cert thumbprint manually but cannot save successfully.
This also happen when I execute Register-MFASystem cmdlet, below screenshots and attachments is for your reference.

Environment:
Windows 2016 with latest patches, ADFS
Locale & datetime format: Chinese (MACAU SAR)
latest version of MFA, I have installed 2.0.1.112 before and already follow the instruction to uninstalled.

error1.txt
error2.txt

PS C:\Users\administrator.ADFSUAT> $cfg=Get-MFAConfig
PS C:\Users\administrator.ADFSUAT> $cfg |format-list
RefreshScan : 3000
DeliveryWindow : 300
TOTPShadows : 2
MailEnabled : True
SMSEnabled : True
AppsEnabled : True
Algorithm : SHA1
Issuer : MFA
UseActiveDirectory : False
CustomUpdatePassword : True
DefaultCountryCode : us
AdminContact : [email protected]
UserFeatures : AllowUnRegistered, AllowDisabled, AllowChangePassword, AllowManageOptions
AdvertisingDays : Neos.IdentityServer.MultiFactor.ConfigAdvertising

PS C:\Users\administrator.ADFSUAT> $cfg=Get-MFAConfigMails
Get-MFAConfigMails : Object reference not set to an instance of an object.
At line:1 char:6

• $cfg=Get-MFAConfigMails

•  ~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : OperationStopped: (Neos.IdentitySe...tMFAConfigMails:GetMFAConfigMails) [Get-MFAConfigMa
    ils], NullReferenceException
  • FullyQualifiedErrorId : 3021,Neos.IdentityServer.MultiFactor.Administration.GetMFAConfigMails

from adfsmfa.

Strange !

• Confirm that you are using SQL configuration (UseActiveDirectory = false) ? so, have you created the Database ?
• The account that you use for cmdlet commands or console operation have sufficent rights to write configuration ? must be an admin or Inside the delegated admin group in ADFS Properties.
• Error 3021 occurs when MFA configuration cannot be retreived from ADFS configuration.
• Please, register a new configuration or use PowerShell or Console with admin rights.

Let us know

from adfsmfa.

I have tried to remove MFA and ADFS role and reinstall them. Same error still happened, it will pop up an error when start the MFA notification hub service, but the service is still running. I can use MFA in SSO login without problem.
I use another domain account to run ADFS service and the account is not local admin.
I use enterprise admin account (who is also local admin) to login ADFS server and with admin rights to do the installation and config tasks.
ADFS is running fine and can log in successfully without problem.

If I try to use backup configure file in register-mfasystem command, it will show the error below and registration is failed (without configure file, it is okay):

PS C:\Users\administrator.ADFSUAT> register-mfasystem -Activate -RestartFarm -AllowUpgrade -BackupFilePath C:\temp\myconfig.xml
Confirm Are you sure you want to perform this action?
Performing the operation "Changing Keyformat invalidate all users keys ! When choosing CUSTOM KeyFormat, additional steps are required (Set-MFAConfigkeys and New-MFASecretKeysDatabase)" on target "Register-MFASystem". [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"):
register-mfasystem : Object reference not set to an instance of an object. At line:1 char:1
+ register-mfasystem -Activate -RestartFarm -AllowUpgrade -BackupFilePa ...
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (Neos.IdentitySe...gisterMFASystem:RegisterMFASystem) [Register-MFASystem], NullReferenceException + FullyQualifiedErrorId : 3012,Neos.IdentityServer.MultiFactor.Administration.RegisterMFASystem

• Confirm that you are using SQL configuration (UseActiveDirectory = false) ? so, have you created the Database ?
  I think it doesn't relate to db...As the register-mfasystem command does not have options to config to use ADDS or DB, this setting is configured after executed register-mfasystem command. Even though I set to use DB, error still happened.

• The account that you use for cmdlet commands or console operation have sufficent rights to write configuration ? must be an admin or Inside the delegated admin group in ADFS Properties.
  as said above.
  Even though I set the domain account as local admin, check "Allow local system account for service administration" in ADFS Ferderation Service Properties, it doesn't solve the problem.

• Error 3021 occurs when MFA configuration cannot be retreived from ADFS configuration.

• Please, register a new configuration or use PowerShell or Console with admin rights.
  as said above.

from adfsmfa.

Hi,

Sorry, we where very busy today.
We're going to test tomorrow with the informations you have posted

Thanks

from adfsmfa.

• Bug correction in version 2.0.2.964 for Register-MFASystem (see comments on releases)
• The console, perhaps, is not very stable, but in our tests with your configuration as example we didn't find the problems you experienced.
• For example, to create a certificate (RSA), everythings is OK with the console or cmdlet Install-MFACertificate.

Let us know, if it's better after installing the las t version

from adfsmfa.

Happy new year, thanks for your great work.

The register command and the backup/restore configure file is okay.
The RSA still got problem when click "New cert" button, it will popup an .net exception, although I see the cert is created in cert store.

The exception still occurs when starting MFA service.
I tried to reinstall Windows and everything but still has exception, don't know why.
Perhaps if you don't mind, could you remote to my servers and take a look so that you can get more detail?

Thanks.

from adfsmfa.

Hi,

Yes, if you want i could remote your server, but it's a very sensitive operation.
First, can you check that you have all the needed Eventlog entries (as below), let me know.

After, can you prepare an RDP file with credentials stored Inside, verify that it's working.
You can create a temporary user on your ADDS (standard rights), and make this account Local Admin.
With this access, i could remote your server.

I have set your github account as a collaborator, so with this, i think (not sure) we can communicate privately.

After remoting, you can safely delete or disable the account used.

Lest me know i you have a better idea ?

Regards

from adfsmfa.

After debugging remotely, the problem was the jit debugger of visual studio.
The error occurs in Microsoft.IdentityServer.ServiceHost.exe.
We can reproduce the problem on our Platform.
if you experience this problem, in emergency you can run this command : vsjitdebugger.exe /unregserver.

By default, never install development Tools on Servers, and also never on ADFS servers.
If you want to debug ADFS or your extension, you must use "VS Remote Debugger"

As source of the problem, a Debugger Break was is our code :
Debugger.Launch(); Debugger.Break();

A new version released 2.0.2.965

Thanks to @unchannam

from adfsmfa.