ADFS 2016 login using Azure MFA encountered error

Poh Tze Siang 6 Reputation points
2020-09-03T11:21:03.783+00:00

I've set up Azure MFA with ADFS following https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa.

To test,

  1. I browsed to https://[myadfs].com/adfs/ls/idpinitiatedsignon
  2. Clicked "Azure Multi-Factor Authentication"
  3. Enter the username

Immediately after that I get the following error,

An error occurred
An error occurred. Contact your administrator for more information.

Checking the events,

Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
http://[myadfs]/adfs/services/trust

Exception details:
System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXmlTRequest,TResponse
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& outgoingClaims)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
at Microsoft.IdentityServer.Web.Authentication.Azure.AzurePrimaryAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXmlTRequest,TResponse
at Microsoft.IdentityServer.Adapter.AzureMfa.PrimaryAuthenticationAdapter.ProcessUsernameOathCodePin(IAuthenticationContext authContext, IProofData proofData, Claim[]& outgoingClaims)

Help would be greatly appreciated.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,288 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,958 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Kurt Boswood 11 Reputation points
    2020-12-10T02:16:01.063+00:00

    Hi All,

    I had the exact same problem, and thought i'd share the fix.

    If you're receiving:
    System.Exception: Exception calling SAS. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it:

    Ensure you have a system proxy set by running: netsh winhttp set proxy my.proxy.server:8080

    If you're receiving:
    System.Exception: Exception calling SAS. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized.

    You either have an invalid or missing Azure MFA certificate - check your "computer" certificate store and look for a "O365tenantName**.onmicrosoft.com**" certificate.

    If you're fortunate enough to have more than one ADFS server, export the certificate from the working server (with private key), and import on any servers missing the cert.

    If you don't have the certificate, you can re-generate as Tspoh mentioned (previous post), by running:
    New-AdfsAzureMfaTenantCertificate -TenantID <your tenant ID> | Out-File amfacert.cer
    P.S. if you re-generate and have more than one ADFS server, ensure you export/import the certificate to any additional servers.

    hope this helps others! :)

    regards,
    Kurt.

    2 people found this answer helpful.

  2. David Trevor 306 Reputation points
    2024-12-17T15:38:52.0766667+00:00

    This 401 Unauthorized error can be caused by multiple things. I had the same issue and was able to solve it by making sure of these three things.

    1. During setup, you have to run two cmdlets (New-AdfsAzureMfaTenantCertificate and Set-AdfsAzureMfaTenant). The -TenantId parameter used for both parameters must be identical, that is how ADFS identifies which certificate to use. So either use Tenant Name or Tenant ID, do not mix and match!
    2. Make sure all ADFS Servers use TLS 1.2 for .NET Framework. You can ensure this by running tools like IISCrypto or scripts like setupiisforsslperfectforwardsecrecy.ps1
    3. The following two Enterprise Apps must be enabled for user sign-in in your Azure tenant: "Azure Multi-Factor Auth Client" and "Azure Multi-Factor Auth Connector"
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.