This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 28.000000000000004%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Hello,
I'm running Windows Server 2019 ADFS migrated from old version of ADFS. Everything is working fine, but we had to remove/disable the 3rd party MFA vendor we had. So I disabled the vendor's tool from the Authentication Methods in ADFS console and removed the program. We did this because we federated our ADFS with company, so instead of I'm authenticating using my own ADFS/AD local domain, I'm using the company and everything is done by them, including the MFA - I have 2 Claims Provider Trusts because of this.
But, we have 1 RP that does not work with that config so are still using the local AD, but now we noticed after login it is showing an error about "No valid strong authentication method found".
It seems to be general, because I tested other RPs and using the local AD and same issue.
How can I get rid of this and just authenticate even without MFA, just using the username and password?
See attached my current config for Authentication Methods.
"No valid strong authentication method found. Contact your administrator to configure and enable appropriate strong authentication provider."
Event ID 364
"**Exception details:
Microsoft.IdentityServer.Web.NoValidStrongAuthenticationMethodException: No strong authentication method found for the request from https://MY-RP.COM.
at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)**"
Thanks!!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 59%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Hi Dimago, there’s a section in the ADFS connection settings where you can edit the Authorization Rule. Currently, you’ve added a permit with MFA. You need to change this to permit all users, which will allow login with just a username and password.
You might still have the rules to trigger MFA enabled on your Relying Party trust.
Can you show us the output of a Get-ADFSRelyingPartyTrust for this failing relying party trust?
Sure @Pierre Audonnet - MSFT - this is the output from one of my RP:
Get-ADFSRelyingPartyTrust -Name "RP"
AllowedAuthenticationClassReferences : {}
EncryptionCertificateRevocationCheck : CheckChainExcludeRoot
PublishedThroughProxy : False
SigningCertificateRevocationCheck : CheckChainExcludeRoot
WSFedEndpoint :
AdditionalWSFedEndpoint : {}
ClaimsProviderName : {Company Global}
ClaimsAccepted : {}
EncryptClaims : True
Enabled : True
EncryptionCertificate :
Identifier : {https://rp.domain.com}
NotBeforeSkew : 0
EnableJWT : False
AlwaysRequireAuthentication : False
Notes : Notes for the RP
OrganizationInfo :
ObjectIdentifier : IDENTIFIER
ProxyEndpointMappings : {}
ProxyTrustedEndpoints : {}
ProtocolProfile : WsFed-SAML
RequestSigningCertificate : {}
EncryptedNameIdRequired : False
SignedSamlRequestsRequired : False
SamlEndpoints : {Microsoft.IdentityServer.Management.Resources.SamlEndpoint}
SamlResponseSignature : AssertionOnly
SignatureAlgorithm : http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
TokenLifetime : 0
AllowedClientTypes : Public
IssueOAuthRefreshTokensTo : NoDevice
RefreshTokenProtectionEnabled : True
RequestMFAFromClaimsProviders : False
ScopeGroupId :
ScopeGroupIdentifier :
DeviceAuthenticationMethod :
Name : RP
AutoUpdateEnabled : False
MonitoringEnabled : False
MetadataUrl :
ConflictWithPublishedPolicy : False
IssuanceAuthorizationRules : @RuleName = "1-Get User Groups"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> add(store = "Active Directory", types = ("http://test.com/phase1"), query =
"mail={0};memberOf;DOMAIN\user", param = c.Value);
@RuleName = "2-Remove OU"
c:[Type == "http://test.com/phase1"]
=> add(Type = "http://test.com/phase2", Value = RegExReplace(c.Value,
",[^\n]*", ""));
@RuleName = "3-Remove the CN="
c:[Type == "http://test.com/phase2"]
=> add(Type = "http://schemas.xmlsoap.org/claims/Group", Value =
RegExReplace(c.Value, "^CN=", ""));
@RuleName = "4-Filter Group_RO and Grant Access"
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value =~ "^(?i)Group_RO$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "PermitUsersWithClaim");
@RuleTemplate = "Authorization"
@RuleName = "Permit_Group_RO"
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "^(?i)S-1-5-21-290840851-546066832-394647578-5115$"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit",
Value = "PermitUsersWithClaim");
IssuanceTransformRules : @RuleName = "1-Get the Local DOMAIN username"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> add(store = "Active Directory", types = ("DOMAIN"), query =
"mail={0};sAMAccountName;DOMAIN\user", param = c.Value);
@RuleName = "2-Send LOCAL domain username as NameID"
c:[Type == "DOMAIN"]
=> issue(Type =
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer
= c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType =
c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimpro
perties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:DOMAIN");
@RuleTemplate = "LdapClaims"
@RuleName = "Send NameID"
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types =
("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), query
= ";sAMAccountName;{0}", param = c.Value);
DelegationAuthorizationRules :
LastPublishedPolicyCheckSuccessful :
LastUpdateTime : 12/31/1899 7:00:00 PM
LastMonitoredTime : 12/31/1899 7:00:00 PM
ImpersonationAuthorizationRules :
AdditionalAuthenticationRules :
AccessControlPolicyName :
AccessControlPolicyParameters :
ResultantPolicy :
We have another "Application Groups" using OAuth, but I was not able to run the same command on that. This one is also facing the same issue.
Get-AdfsApplicationGroup -Name "OAuth Application"
ApplicationGroupIdentifier : Application-Test
Description : OAuth test application
Name : OAuth-Test
Enabled : True
Applications : {OAuth-Test - Server application, OAuth-Test - Web API}
I don't see any requirement in the rules. Then I guess it might be the actual application requesting a specific authentication method (in the redirect the app sends to the user).
It is possible for an application to request a specific authentication method or even MFA. Could you share what the redirect URL looks like when you hit the app and are redirected to ADFS?
Would it be possible a general/global requirement?
This is what I see:
Browser URL:
https://my_adfs.com/adfs/ls/IdpInitiatedSignOn.aspx?client-request-id=ID_NUMBER
Error Details:
Activity ID: ID_NUMBER
Relying party: RP_Name
Error details: No strong authentication method found for the request from https://rp_name.com.
Node name: 36a38395-6e20-47c9-8f06-baf74fba36b1
Error time: Mon, 28 Feb 2022 20:53:43 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
If I enable my local AD, I see that happening for all applications/RP, so it is not the application asking for that.
When I run this command I enable the Local AD:
Set-AdfsRelyingPartyTrust -TargetName "RP_Name" -ClaimsProviderName @("Active Directory")
When I run this I enable the company Global Claim Provider Trust:
Set-AdfsRelyingPartyTrust -TargetName "RP_Name" -ClaimsProviderName @("Global SSO")
Or I could have both methods, AD and Global SSO.