Comments (7)
redhook62
commented on July 28, 2024
Hi,
Normally, if you can register your users you should in principle have the good rights.
Is it for 2 domains in the same forest or for 2 distinct forest ?
Which version do you use?
we will test
Regards
from adfsmfa.
anorstrom
commented on July 28, 2024
2.2.0.41
from adfsmfa.
redhook62
commented on July 28, 2024
Hi,
Can you download version 2.2.0.1003 and test it on Lab (with same domains)
Regards
from adfsmfa.
anorstrom
commented on July 28, 2024
Upgraded to 2.2.0.1003, but the same problem remains.
- If I look at security on the user object in AD, and check the Effective Access on the ADFS service account, it has R/W to many attributes, including the MFA attributes (it does not have Full Control).
- If I login as the ADFS Service account to the primary ADFS server, I can Read and Write to the MFA attributes via the PS command Get/Set-ADUser. But when I run set-MFAUser I get access denied.
- If I give the ADFS service account Full Control to the user object it works.
Any idea of what permission that could be missing? (We would like to avoid giving Full Permission to the service account.)
from adfsmfa.
redhook62
commented on July 28, 2024
Hi,
First, I want to make it clear that the default web interface runs with the ADFS service account. and that the LDAP queries are made with the ADDS configuration information. ADFS account if nothing is specified or with the information provided in MMC.
The console and PowerShell use the interactive account connected to the ADFS server that must be an ADFS Admin (see ADFS properties). but LDAP queries are made with the informations above.
So, for example if you allow the password change, or the password reset after the first connection, or the external lockout, in principle the ADFS account is normally able to read and write the properties of all users for the domain.
You must be sure you do not have sufficient rights on your second ADDS domain. check that you have the same rights on your second domain or forest
For information, you can check or have the source code checked, when we update the attributes on the backends repositories, we always use the same method ... it's good development practice, it's an object class that do that.
In response, when we talk about read / write rights on all forest / domain, it is clear that it takes prerogatives to modify or read properties FOR ALL users.
You did not tell me if it's a second forest or a sub-domain.
However, I will still perform tests
Regards
from adfsmfa.
redhook62
commented on July 28, 2024
Hi,
No problems for me
- 2 Forests with trust relationship, sub domains.
My adfs account has read/wite all users properties and more for dealing with Connect, Change pwd, read DNS, etc..
So, i thinks you must watch for effectives rights on your first forest/domain and ensure to give the same rights on the second forest/domain.
Regards
from adfsmfa.
anorstrom
commented on July 28, 2024
Thank you for verifying that.
In the end we found that it was a write permission to one of the MFA attributes that was missing for the ADFS service account on some user objects. Sorry to bother you about that, but now it works nicely.
from adfsmfa.
Related Issues (20)
- MFA Login is denied - Password expired HOT 2
- Disable automatic User Import HOT 11
- Fresh install breaks ADFS completely (adfssrv fails to start: error code 1067) HOT 9
- Prevent forrest wide User Lookup? (MMC and cmdlet long loading time) HOT 2
- MFA Not working on clustered ADFS with MDA HOT 5
- Unable to update e-mail Templates HOT 2
- Issue sending email - requires tls 1.2 HOT 4
- Timeouts if primary ADFS member is not online (Event ID 2011/1011) HOT 9
- MFA new domain in forest HOT 2
- MMC Crash HOT 5
- Initial MFA page shows with delay HOT 1
- PowerShell Add-MFAUsers - Error adding user not found HOT 6
- Login Password issue HOT 5
- The MFA wizard is skipped. HOT 8
- "The process cannot access the file" when trying to run Register-MFASystem HOT 4
- Register-MFASystem - BUG
- Operation Completed Successfully HOT 1
- Biometric auth - Requested value '00000000-0000-0000-0000-000000000000' was not found. HOT 7
- Email provider HOT 5
- Configuration for External Multi-Factor Provider plug HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from adfsmfa.