question

tspoh avatar image
1 Vote"
tspoh asked djtheri commented

ADFS 2016 login using Azure MFA encountered error

I've set up Azure MFA with ADFS following https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa.

To test,

  1. I browsed to https://[myadfs].com/adfs/ls/idpinitiatedsignon

  2. Clicked "Azure Multi-Factor Authentication"

  3. Enter the username


Immediately after that I get the following error,

An error occurred
An error occurred. Contact your administrator for more information.

Checking the events,

Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
http://[myadfs]/adfs/services/trust

Exception details:
System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& outgoingClaims)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
at Microsoft.IdentityServer.Web.Authentication.Azure.AzurePrimaryAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)

Help would be greatly appreciated.

adfsazure-ad-multi-factor-authentication
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Usually this issue is related to a problem with the certificate on the ADFS server. Have you double-checked the certificate configuration, as discussed in this post?


0 Votes 0 ·
tspoh avatar image tspoh MarileeTurscak-MSFT ·

The certificate is generated by New-AdfsAzureMfaTenantCertificate cmdlet and I have performed steps 1 to 3 of https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa multiple times resulting in multiple certs being generated.

I used the cmdlet below to get the current applied cert and it matches the latest one generated by New-AdfsAzureMfaTenantCertificate

 New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID> | Out-File amfacert.cer

I also did a test using the script MFA_NPS_TroubleshooterV4, and the result is as follow,
22538-image.png



0 Votes 0 ·
image.png (71.0 KiB)

Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.

0 Votes 0 ·

Wondering if you ever figured this out? Same issue here.

0 Votes 0 ·

1 Answer

kboswood avatar image
2 Votes"
kboswood answered djtheri commented

Hi All,

I had the exact same problem, and thought i'd share the fix.



If you're receiving:
System.Exception: Exception calling SAS. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it:

Ensure you have a system proxy set by running: netsh winhttp set proxy my.proxy.server:8080


If you're receiving:
System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.

You either have an invalid or missing Azure MFA certificate - check your "computer" certificate store and look for a "O365tenantName*.onmicrosoft.com*" certificate.

If you're fortunate enough to have more than one ADFS server, export the certificate from the working server (with private key), and import on any servers missing the cert.


If you don't have the certificate, you can re-generate as Tspoh mentioned (previous post), by running:
New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID> | Out-File amfacert.cer
P.S. if you re-generate and have more than one ADFS server, ensure you export/import the certificate to any additional servers.


hope this helps others! :)


regards,
Kurt.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am having this same issue & this is not the fix. The certificate works & I'm able to use MFA for logging into O365, but when I try to access my existing OWA, I get the same error as above.

I'm guessing it has to do with claim issuance, but not entirely sure where to go?

0 Votes 0 ·