ADFS 2016 login using Azure MFA encountered error

Poh Tze Siang 6 Reputation points
2020-09-03T11:21:03.783+00:00

I've set up Azure MFA with ADFS following https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa.

To test,

  1. I browsed to https://[myadfs].com/adfs/ls/idpinitiatedsignon
  2. Clicked "Azure Multi-Factor Authentication"
  3. Enter the username

Immediately after that I get the following error,

An error occurred
An error occurred. Contact your administrator for more information.

Checking the events,

Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
http://[myadfs]/adfs/services/trust

Exception details:
System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXmlTRequest,TResponse
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& outgoingClaims)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
at Microsoft.IdentityServer.Web.Authentication.Azure.AzurePrimaryAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXmlTRequest,TResponse
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)

Help would be greatly appreciated.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,176 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,102 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Kurt Boswood 11 Reputation points
    2020-12-10T02:16:01.063+00:00

    Hi All,

    I had the exact same problem, and thought i'd share the fix.

    If you're receiving:
    System.Exception: Exception calling SAS. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it:

    Ensure you have a system proxy set by running: netsh winhttp set proxy my.proxy.server:8080

    If you're receiving:
    System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.

    You either have an invalid or missing Azure MFA certificate - check your "computer" certificate store and look for a "O365tenantName**.onmicrosoft.com**" certificate.

    If you're fortunate enough to have more than one ADFS server, export the certificate from the working server (with private key), and import on any servers missing the cert.

    If you don't have the certificate, you can re-generate as Tspoh mentioned (previous post), by running:
    New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID> | Out-File amfacert.cer
    P.S. if you re-generate and have more than one ADFS server, ensure you export/import the certificate to any additional servers.

    hope this helps others! :)

    regards,
    Kurt.

    2 people found this answer helpful.