Thursday, August 11, 2016

ADFS : Installing the on-premises MFA adapter

I've been doing a PoC of this for a customer and finally got this to work.

It's only certified for 2012 R2 so no joy yet for Server 2016.

Firstly you need an Azure subscription so you can download the multi-factor authentication (MFA) module from the Azure AD section.

The subscription itself is free but you have to pay for MFA - either a block amount per user per month or per authentication.

This is a very good blog series on MFA.

Note that I used MFA server version and some of the screen shots in the article no longer apply.

And the blog series is continued with an explanation of methods.

One question I was asked was why would you install this given that Azure AD already has MFA?

One reason is that ADFS has SaaS applications federated directly with it so the MFA needs to be on the ADFS server.

Once you've installed it, you need to add the ADFS adaptor under the ADFS icon.

During the installation it asks you to confirm that KB 2919355 has been installed. This dates from April 2014 and I regularly do "Windows Update" so was pretty sure that it was installed but didn't know how to check.

Quick chat with Mr. Google and via PowerShell:

get-hotfix | where HotfixID -eq 'KB2919355' 

Source     Description   HotFixID      InstalledBy          InstalledOn
------        -----------      --------             -----------             -----------
ADFS     Update          KB2919355    ADFS\admin       2/13/2015 12:00:00 AM

Once it's all installed, I still couldn't see the check box in the ADFS MFA view.

Another quick chat with Mr. Google and via PowerShell:

PS C:\Program Files\Multi-Factor Authentication Server> .\Register-MultiFactorAuthenticationAdfsAdapter.ps1
WARNING: PS0114: The authentication provider was successfully registered with the policy store.  To enable this provider, you must restart the AD FS Windows Service on each server in the farm.

and all was well.

This was described here.

If you want to install the user portal, note that this requires IIS. The installation wizard is pretty good. If something is missing, it tells you and you can then re-run after it has been installed.

Remember to bind https on IIS if you want SSL access.

Before you start, I recommend you read the articles above to give you clear direction and things will be a lot easier.

Have to say that the MFA server is a lot more complex than I envisaged. It probably has more  configuration options than ADFS! One of the reasons for this is that it handles far more than ADFS (or any other adaptor that you want to add into the mix). It also handles IWA, RADIUS, LDAP, applications directly on IIS etc.

In terms of the generated claims rules, you can see them via:

"Get-AdfsRelyingPartyTrust -Name "RP Name" 

under "AdditionalAuthenticationRules" as described here.

I configured the RP for MFA for both Intranet and Extranet and the claims rules were:

c:[Type == "",
Value == "false"]
 => issue(Type =
Value = "");

c:[Type == "",
Value == "true"]
 => issue(Type =
Value = "");

These claims are described here (Part 1) and here (Part 2).


No comments: