ADFS and 3rd party MFA integration tip

Securing access to authentication provided through ADFS is important and whilst Microsoft’s Azure MFA services will integrate perfectly with it many organisations choose to use utilise their existing MFA solution of which there are a number supported by Microsoft – https://technet.microsoft.com/en-us/library/dn758113.aspx plus others that aren’t certified.

I’ve performed a few installations now using 3rd party MFA solutions and just wanted to briefly write about an issue I’ve had with using two different solutions.

During the installation of the agent on the first (primary) ADFS server I carefully followed the instructions from the supplier and the agent would install and present the MFA login screen correctly but when it came to installing the agent on additional servers in the same farm I encountered errors with the MFA option not loading.

Neither instruction set from the suppliers made mention of what should be done on additional servers in a farm so I was left with a little trial and error to discover a workaround.

The procedure I’ve found that worked for me (and there may be alternatives or exceptions to this) was to:

1) Install the MFA agent on Primary ADFS server
2) Disable the agent (usally through the agent software) or through the AD FS Management console
3) Move the Primary ADFS role onto the second server (plus update all the others to secondary)
4) Install the MFA agent
5) Repeat steps 2-4 for any additional servers in the farm

After doing this the MFA process worked for traffic going to all the servers in the farm, I’m not sure why the documentation didn’t account for multiple ADFS servers in the farm as after all I’d like to think that running two ADFS servers in a farm should be the most common scenario to provide HA capabilities.

Hope it helps.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s