Problems starting MMC

[ImpulsoAngular]

I installed version 3.0.2005.0 and after correctly registering the mfa agent the following problem occurs when starting the mmc :

Another drawback that I could see is that after uninstalling the MFA provider the ADFS service was left in a stopped state. From a service continuity point of view that can be a problem.

The environment where I did the tests is as follows:
AD Domain & Forest version: Windows server 2012 R2
OS: Windows Server 2019
ADFS service account: gMSA with domain admin privileges
Repository : Active Directory
.NET version : 4.8

[redhook62]

Hi @ImpulsoAngular

First, restart your ADFS server, your service is successfully uninstalled, the problem comes from Windows.
Then reinstall the msi, then:
In PowerShell,
Export-MFASystemConfiguration (good practice).
Go to the ADFS server directory C:\Program Files\MFA\Config and delete the config.db file.
At this stage restart the service (mfanotifhub).
Check the operation.

[ImpulsoAngular]

Hello!
I deregister the provider, uninstall the application, reboot the server. Then login, delete the folder C:\Program Files\MFA, reinstalled the application, register the provider and the error is the same. The config.db file was never created in the C:\Program Files\MFA\Config folder

[redhook62]

Hi @ImpulsoAngular

Yes, there is a problem when the "SuperUser" account is not filled.
New version 3.0.2005.1

Regards

[ImpulsoAngular]

Hi @redhook62

The problem remains the same

[redhook62]

Hi @ImpulsoAngular

It seems to be an encryption problem. Have you more detailed errors logs (EventLog)

You can follow these steps:

• Export your current config with PowerShell Export-MFASystemConfiguration

• In the saved file,
  -- replace all encrypted values with Unencrypted text. for Account Password, Email User Password.
  -- replace the XORKey with a clear value (default is "ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890")
  -- Delete all config.db files (in MFA\Config). these files are a cached copy of the true adfs configuration for MFA. these files are encrypted.

• Import your modified config file with PowerShell Import-MFASystemConfiguration

• Test MC, PS and access

Let us know

Regards

For Uninstall Problems -> version 3.0.2005.2

[ImpulsoAngular]

Hi @redhook62

The installation was successful, and now the mmc starts correctly. But now when I try to register using a TOTP code, it seems that the key is invalid :

Of course if I scan the code, it is not possible to read it either with Google Auth or Authy. The service account of ADFS is Domain Admin.

When I do the uninstall tests, I tell you how it goes.

[redhook62]

Hi @ImpulsoAngular

first thing, this problem occurs when the access account (Adfs acount or SuperUser account) doesn't have Write permissions on All Properties (eg for All Users), or ADDS Attributes mapping is not functional.
If Your ADFS account is a Domain Admin, even if it is not highly recommended, it should work without worries.
Second : This problem can occur because of an incorrect pass phrase, the stored / existing keys can no longer be decrypted. But registering a new user should not be a problem. The pass phrase cannot be null or empty !

As said before, As mentioned above, you can check the ADFS and Application logs, and give us those informations.
We are unable to reproduce your problem

Regards

[ImpulsoAngular]

Hi @redhook62
Attached is the event it throws when trying to register

[redhook62]

@ImpulsoAngular

OK, As we thought, there is a problem with key encryption.
This part of code has not changed since several major versions (2.2 of memory).
We have not succeeded in reproducing your problem, we have deployed a new version with logs more provided in this part.

Make sure you have entered the PassPhrase correctly.
You can also try to set the ADFS account as Local administrator of the ADFS server, this is in principle not necessary.
As a last resort, repeat a configuration of the MFA, correctly positioning all the properties.

Please also send us the new logs

Regards

[ImpulsoAngular]

Hi @redhook62

I attach the capture of the event viewer

Comment: I never set up the passphrase, ¿should I?

[redhook62]

Hi,

What is the lenght of the user UPN ?

Regards

[ImpulsoAngular]

30 characters (including @)

[redhook62]

Hi @ImpulsoAngular

First of all, we still haven't managed to reproduce your problem.
We tried in all directions with RNG, it seems that the configuration is good.
Be aware though, that with RNG, there is no encryption, it is the most "light" option, but not the most secure. however the key is hashed with the XORKey and an upn checksum is included in order to avoid copies of keys between users.

The transmitted trace, put forward an exception on a standard component of the framework (MD5 Hash), supported since version 1.1 of .Net (at the time of the internet bubble ...). In this mode there is no use of specific keys or certificates.
So, we are looking for a problem between the operating system and your ADFS account.
Have you updated the latest FW 4.8 patches via Windows Update ?
Have you tested with other users ?
Have you tested with RSA and one certificate per user ?

If you want to give us more information on your configuration, we can exchange by private email. in this case send us your configuration file, and the user information causing the problem.

Regards