question

tspoh avatar image
1 Vote"
tspoh asked MichaelParry-5753 commented

ADFS 2016 login using Azure MFA encountered error

I've set up Azure MFA with ADFS following https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa.

To test,

  1. I browsed to https://[myadfs].com/adfs/ls/idpinitiatedsignon

  2. Clicked "Azure Multi-Factor Authentication"

  3. Enter the username


Immediately after that I get the following error,

An error occurred
An error occurred. Contact your administrator for more information.

Checking the events,

Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
http://[myadfs]/adfs/services/trust

Exception details:
System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& outgoingClaims)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
at Microsoft.IdentityServer.Web.Authentication.Azure.AzurePrimaryAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)

Help would be greatly appreciated.

adfsazure-ad-multi-factor-authentication
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Usually this issue is related to a problem with the certificate on the ADFS server. Have you double-checked the certificate configuration, as discussed in this post?


0 Votes 0 ·
tspoh avatar image tspoh MarileeTurscak-MSFT ·

The certificate is generated by New-AdfsAzureMfaTenantCertificate cmdlet and I have performed steps 1 to 3 of https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa multiple times resulting in multiple certs being generated.

I used the cmdlet below to get the current applied cert and it matches the latest one generated by New-AdfsAzureMfaTenantCertificate

 New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID> | Out-File amfacert.cer

I also did a test using the script MFA_NPS_TroubleshooterV4, and the result is as follow,
22538-image.png



0 Votes 0 ·
image.png (71.0 KiB)

Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.

0 Votes 0 ·

Wondering if you ever figured this out? Same issue here.

0 Votes 0 ·

1 Answer

kboswood avatar image
2 Votes"
kboswood answered MichaelParry-5753 commented

Hi All,

I had the exact same problem, and thought i'd share the fix.



If you're receiving:
System.Exception: Exception calling SAS. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it:

Ensure you have a system proxy set by running: netsh winhttp set proxy my.proxy.server:8080


If you're receiving:
System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.

You either have an invalid or missing Azure MFA certificate - check your "computer" certificate store and look for a "O365tenantName*.onmicrosoft.com*" certificate.

If you're fortunate enough to have more than one ADFS server, export the certificate from the working server (with private key), and import on any servers missing the cert.


If you don't have the certificate, you can re-generate as Tspoh mentioned (previous post), by running:
New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID> | Out-File amfacert.cer
P.S. if you re-generate and have more than one ADFS server, ensure you export/import the certificate to any additional servers.


hope this helps others! :)


regards,
Kurt.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am having this same issue & this is not the fix. The certificate works & I'm able to use MFA for logging into O365, but when I try to access my existing OWA, I get the same error as above.

I'm guessing it has to do with claim issuance, but not entirely sure where to go?

0 Votes 0 ·

I know this is an old post, but only encountered this problem last week when my company's Office 365 MFA stopped working unexpectedly.

We're running AD FS 4.0 on Windows Server 2016 instances, and had no issues since the last certificate renewal in June 2022.

In PowerShell on servers, Connect-MsolService and Connect-AzureAD gave errors which pointed to TLS issues.

PowerShell command to set TLS 1.2 in PS and forcibly refresh the PowerShell-Get module seemed to resolve, but the issues persisted once PS session ended.

Found reference-connect-tls-enforcement to enforce TLS 1.2 on the AD FS farm and completed TLS 1.2 enabling.

Also found ObjectId within AzureAD for the Azure Multi-Factor Authentication Client was not as listed in the MS docs for replacing the AzureMFATenant certificate. Attempts to apply the new certificate returned errors indicating the ObjectId was not recognised in AzureAD.

We ran Get-MsolServicePrincipal and Get-AzureADServicePrincipal and compared the outputs and found the correct values (which were different than previous, as we had fully documented the steps for our previous certificate replacement as part of training a new team member).

Finally, after successfully enabling TLS 1.2 on the AD FS server farm, ensuring the AzureMFATenant certificate was up to date and applied successfully, and the servers restarted following the Windows updates, the Office 365/Azure MFA began working as normal.


0 Votes 0 ·