If you use Active Directory Federation Services (AD FS) and want to secure cloud or on-premises resources, you can configure Azure Multi-Factor Authentication Server to work with AD FS. This configuration triggers two-step verification for high-value endpoints.
In this article, we discuss using Azure Multi-Factor Authentication Server with AD FS in Windows Server 2012 R2 or Windows Server 2016. For more information, read about how to secure cloud and on-premises resources by using Azure Multi-Factor Authentication Server with AD FS 2.0.
Secure Windows Server AD FS with Azure Multi-Factor Authentication Server
When you install Azure Multi-Factor Authentication Server, you have the following options:
- Install Azure Multi-Factor Authentication Server locally on the same server as AD FS
- Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer
Before you begin, be aware of the following information:
- You are not required to install Azure Multi-Factor Authentication Server on your AD FS server. However, you must install the Multi-Factor Authentication adapter for AD FS on a Windows Server 2012 R2 or Windows Server 2016 that is running AD FS. You can install the server on a different computer if it is a supported version and you install the AD FS adapter separately on your AD FS federation server. See the following procedures to learn how to install the adapter separately.
- If your organization is using text message or mobile app verification methods, the strings defined in Company Settings contain a placeholder, <$application_name$>. In MFA Server v7.1, you can provide an application name that replaces this placeholder. In v7.0 or older, this placeholder is not automatically replaced when you use the AD FS adapter. For those older versions, remove the placeholder from the appropriate strings when you secure AD FS.
- The account that you use to sign in must have user rights to create security groups in your Active Directory service.
- The Multi-Factor Authentication AD FS adapter installation wizard creates a security group called PhoneFactor Admins in your instance of Active Directory. It then adds the AD FS service account of your federation service to this group. Verify on your domain controller that the PhoneFactor Admins group is indeed created and that the AD FS service account is a member of this group. If necessary, manually add the AD FS service account to the PhoneFactor Admins group on your domain controller.
- For information about installing the Web Service SDK with the user portal, read about deploying the user portal for Azure Multi-Factor Authentication Server.
Install Azure Multi-Factor Authentication Server locally on the AD FS server
- Download and install Azure Multi-Factor Authentication Server on your AD FS server. For installation information, read about getting started with Azure Multi-Factor Authentication Server.
- In the Azure Multi-Factor Authentication Server management console, click the AD FS icon. Select the options Allow user enrollment and Allow users to select method.
- Select any additional options you'd like to specify for your organization.
Click Install AD FS Adapter.
If the Active Directory window is displayed, that means two things. Your computer is joined to a domain, and the Active Directory configuration for securing communication between the AD FS adapter and the Multi-Factor Authentication service is incomplete. Click Next to automatically complete this configuration, or select the Skip automatic Active Directory configuration and configure settings manually check box. Click Next.
- If the Local Group windows is displayed, that means two things. Your computer is not joined to a domain, and the local group configuration for securing communication between the AD FS adapter and the Multi-Factor Authentication service is incomplete. Click Next to automatically complete this configuration, or select the Skip automatic Local Group configuration and configure settings manually check box. Click Next.
- In the installation wizard, click Next. Azure Multi-Factor Authentication Server creates the PhoneFactor Admins group and adds the AD FS service account to the PhoneFactor Admins group.
- On the Launch Installer page, click Next.
- In the Multi-Factor Authentication AD FS adapter installer, click Next.
- Click Close when the installation is finished.
- When the adapter has been installed, you must register it with AD FS. Open Windows PowerShell and run the following command:
C:\Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1
- To use your newly registered adapter, edit the global authentication policy in AD FS. In the AD FS management console, go to the Authentication Policies node. In the Multi-factor Authentication section, click the Edit link next to the Global Settings section. In the Edit Global Authentication Policy window, select Multi-Factor Authentication as an additional authentication method, and then click OK. The adapter is registered as WindowsAzureMultiFactorAuthentication. Restart the AD FS service for the registration to take effect.
At this point, Multi-Factor Authentication Server is set up to be an additional authentication provider to use with AD FS.
Install a standalone instance of the AD FS adapter by using the Web Service SDK
- Install the Web Service SDK on the server that is running Multi-Factor Authentication Server.
- Copy the following files from the \Program Files\Multi-Factor Authentication Server directory to the server on which you plan to install the AD FS adapter:
- Run the MultiFactorAuthenticationAdfsAdapterSetup64.msi installation file.
- In the Multi-Factor Authentication AD FS adapter installer, click Next to start the installation.
- Click Close when the installation is finished.
Edit the MultiFactorAuthenticationAdfsAdapter.config file
Follow these steps to edit the MultiFactorAuthenticationAdfsAdapter.config file:
- Set the UseWebServiceSdk node to true.
- Set the value for WebServiceSdkUrl to the URL of the Multi-Factor Authentication Web Service SDK. For example: https://contoso.com/<certificatename>/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx, Where certificatename is the name of your certificate.
- Edit the Register-MultiFactorAuthenticationAdfsAdapter.ps1 script by adding -ConfigurationFilePath <path> to the end of the
Register-AdfsAuthenticationProvidercommand, where <path> is the full path to the MultiFactorAuthenticationAdfsAdapter.config file.
Configure the Web Service SDK with a username and password
There are two options for configuring the Web Service SDK. The first is with a username and password, the second is with a client certificate. Follow these steps for the first option, or skip ahead for the second.
- Set the value for WebServiceSdkUsername to an account that is a member of the PhoneFactor Admins security group. Use the <domain>\<user name> format.
- Set the value for WebServiceSdkPassword to the appropriate account password.
Configure the Web Service SDK with a client certificate
If you don't want to use a username and password, follow these steps to configure the Web Service SDK with a client certificate.
- Obtain a client certificate from a certificate authority for the server that is running the Web Service SDK. Learn how to obtain client certificates.
- Import the client certificate to the local computer personal certificate store on the server that is running the Web Service SDK. Make sure that the certificate authority's public certificate is in Trusted Root Certificates certificate store.
- Export the public and private keys of the client certificate to a .pfx file.
- Export the public key in Base64 format to a .cer file.
- In Server Manager, verify that the Web Server (IIS)\Web Server\Security\IIS Client Certificate Mapping Authentication feature is installed. If it is not installed, select Add Roles and Features to add this feature.
- In IIS Manager, double-click Configuration Editor in the website that contains the Web Service SDK virtual directory. It is important to select the website, not the virtual directory.
- Go to the system.webServer/security/authentication/iisClientCertificateMappingAuthentication section.
- Set enabled to true.
- Set oneToOneCertificateMappingsEnabled to true.
- Click the ... button next to oneToOneMappings, and then click the Add link.
- Open the Base64 .cer file you exported earlier. Remove -----BEGIN CERTIFICATE-----, -----END CERTIFICATE-----, and any line breaks. Copy the resulting string.
- Set certificate to the string copied in the preceding step.
- Set enabled to true.
- Set userName to an account that is a member of the PhoneFactor Admins security group. Use the <domain>\<user name> format.
- Set the password to the appropriate account password, and then close Configuration Editor.
- Click the Apply link.
- In the Web Service SDK virtual directory, double-click Authentication.
- Verify that ASP.NET Impersonation and Basic Authentication are set to Enabled, and that all other items are set to Disabled.
- In the Web Service SDK virtual directory, double-click SSL Settings.
- Set Client Certificates to Accept, and then click Apply.
- Copy the .pfx file you exported earlier to the server that is running the AD FS adapter.
- Import the .pfx file to the local computer personal certificate store.
- Right-click and select Manage Private Keys, and then grant read access to the account you used to sign in to the AD FS service.
- Open the client certificate and copy the thumbprint from the Details tab.
- In the MultiFactorAuthenticationAdfsAdapter.config file, set WebServiceSdkCertificateThumbprint to the string copied in the previous step.
Finally, to register the adapter, run the \Program Files\Multi-Factor Authentication Server\Register-MultiFactorAuthenticationAdfsAdapter.ps1 script in PowerShell. The adapter is registered as WindowsAzureMultiFactorAuthentication. Restart the AD FS service for the registration to take effect.
Secure Azure AD resources using AD FS
To secure your cloud resource, set up a claims rule so that Active Directory Federation Services emits the multipleauthn claim when a user performs two-step verification successfully. This claim is passed on to Azure AD. Follow this procedure to walk through the steps:
- Open AD FS Management.
- On the left, select Relying Party Trusts.
Right-click on Microsoft Office 365 Identity Platform and select Edit Claim Rules…
On Issuance Transform Rules, click Add Rule.
On the Add Transform Claim Rule Wizard, select Pass Through or Filter an Incoming Claim from the drop-down and click Next.
Give your rule a name.
- Select Authentication Methods References as the Incoming claim type.
- Select Pass through all claim values.
- Click Finish. Close the AD FS Management console.
For troubleshooting help, see the Azure Multi-Factor Authentication FAQs