Security – Error after upgrading Multi Factor Authentication Server to version 7

If you are already using Microsoft Azure MFA with the on premises solution (Multi Factor Authentication Server) and want (or have already) to upgrade to the latest version (which is version 7.0.2 at the time of writing this post), you may experience the following error if you have integrated with ADFS (especially when you restart your ADFS services) after you have upgraded your ADFS connector.

Log Name:      AD FS/Admin
Source:        AD FS
Date:          7/9/2016 10:55:08 AM
Event ID:      105
Task Category: None
Level:         Error
Keywords:      AD FS
User:         
Computer:     
Description:
An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: WindowsAzureMultiFactorAuthentication
Context: Proxy device TLS pipeline

Additional Data
Exception details:
The external authentication method pfadfs.AuthenticationAdapter, MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35 could not be loaded. Could not load file or assembly ‘MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.

This is because the resource has been renamed

To solve the issue, you need to unregistered the previous version of the ADFS connector and then register the new one.

Disable MFA in ADFS

If you already have integrated MFA with your ADFS, this means you are using it (or should Smile)

Before unregistering the “old” version, you need to disable it from your ADFS console, Authentication Policies

image 

Unregister the previous version

Open a PowerShell prompt and run the following command

Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthentication

If you did not disable the connector from ADFS first, you will get this error

image 

Unregister-AdfsAuthenticationProvider : PS0099: The specified authentication provider cannot be removed from the
policy store.  The provider is currently specified in the additional authentication providers list. Remove the
provider from the additional authentication providers list.
At line:1 char:1
+ Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthenticatio …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Unregister-AdfsAuthenticationProvider], ArgumentException
    + FullyQualifiedErrorId : PS0099: The specified authentication provider cannot be removed from the policy store.
   The provider is currently specified in the additional authentication providers list. Remove the provider from the
  additional authentication providers list.,Microsoft.IdentityServer.Management.Commands.RemoveExternalAuthProviderC
  ommand

Once completed, restart the ADFS service

image 

Register the new version

Run the PowerShell script provided with MFA to register the new version; the script is located in the C:\Program Files\Multi-Factor Authentication Server folder and is called Register-MultiFactorAuthenticationAdfsAdapter.ps1

image 

Once completed, restart again your ADFS services

Re enable the connector

Re open you ADFS console and browse to the Authentication Policies to re enable the connector; you will notice the name has been changed to Azure Multi-Factor Authentication Server

image 

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.