Securing access to authentication provided through ADFS is important and whilst Microsoft’s Azure MFA services will integrate perfectly with it many organisations choose to use utilise their existing MFA solution of which there are a number supported by Microsoft – https://technet.microsoft.com/en-us/library/dn758113.aspx plus others that aren’t certified.
I’ve performed a few installations now using 3rd party MFA solutions and just wanted to briefly write about an issue I’ve had with using two different solutions.
During the installation of the agent on the first (primary) ADFS server I carefully followed the instructions from the supplier and the agent would install and present the MFA login screen correctly but when it came to installing the agent on additional servers in the same farm I encountered errors with the MFA option not loading.
Neither instruction set from the suppliers made mention of what should be done on additional servers in a farm so I was left with a little trial and error to discover a workaround.
The procedure I’ve found that worked for me (and there may be alternatives or exceptions to this) was to:
1) Install the MFA agent on Primary ADFS server
2) Disable the agent (usally through the agent software) or through the AD FS Management console
3) Move the Primary ADFS role onto the second server (plus update all the others to secondary)
4) Install the MFA agent
5) Repeat steps 2-4 for any additional servers in the farm
After doing this the MFA process worked for traffic going to all the servers in the farm, I’m not sure why the documentation didn’t account for multiple ADFS servers in the farm as after all I’d like to think that running two ADFS servers in a farm should be the most common scenario to provide HA capabilities.
Hope it helps.