Selected authentication method is not available for user

Question

_{Wednesday, October 25, 2017 9:31 AM}

I have an ADFS 2016 farm configured to use Azure MFA.    I followed the steps outlined here, https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa.    I tested that it worked on a couple of our ADFS services, including Salesforce.    All good.

Over the last couple of days it has stopped working.  There have been no configuration changes.   The users see an error "selected authentication method is not available for user".  

I see this error in the ADFS logs:

*Encountered error during federation passive request. *

*Additional Data *

*Protocol Name: *
*Saml *

*Relying Party: *
*https://xxxx.xxxx.com/integration/splogin *

Exception details: *
Microsoft.IdentityServer.Web.Authentication.AuthenticationMethodUnavailableException: The selected authentication method is not available. Choose another authentication method or contact your system administrator for details.
*   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)
*   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)*
*   at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)*
*   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)*

As I said this was working fine and nothing has changed.   I have disabled and re-enabled MFA as an authentication method and rebooted every server in the farm for good measure. 

I was going to though the configuration again but I can't create a new certificate, not can I see a why to the the GUID for the old certificate.  

Any help would be appreciated. 

Peter

All replies (4)

_{Wednesday, October 25, 2017 2:17 PM}

Users are not registered for MFA, you need to be registered for MFA. You need to go through the proofup process before. Go to this link - https://account.activedirectory.windowsazure.com/Proofup.aspx 
This allows the user to setup MFA themselves, especially useful for users who do not login via the browser. where you can manage the Multi-factor Authentication settings for the Users.

Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.  

---

_{Wednesday, October 25, 2017 2:50 PM}

The user (me for example) is 100% registered in MFA.    We use the same MFA for Office 365 and that works fine.  I already tried re-onboarding but its didn't make a difference. 

---

_{Friday, October 27, 2017 7:52 PM}

We have this same issue and a cost open w/ MS on it but no solution yet.

---

_{Wednesday, November 1, 2017 4:36 PM}

@Peter Eccles, this query requires a deep technical dive, we would also need sensitive account and subscription details from you. Since this is beyond the purview of the Forums Support, request you to kindly open a Technical Support Ticket on the same so that our teams can assist you better on this.

@Fast-Eddie, could you give us the support ticket that you had created ?
We could have a look at the same.

Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.