ADFS with Managed Service account "ADFS Administration rights not granted"

[mastertIT]

we currently use a managed service account for the adfs service. 'AD\service-ADFS$'
we enabled allow local admins and allow local services to manage adfs, we then created a security group and added our adfs admins to there, allow delegation to it in adfs.

• when an admin logs into the adfs server and opens the adfs snapin they are able to make changes.

• when the same admin tries to Register-MFASystem

Register-MFASystem : This request operation sent to net.tcp://localhost:5987/WebAdminService did not receive a reply
within the configured timeout (00:01:00). The time allotted to this operation may have been a portion of a longer
timeout. This may be because the service is still processing the operation or because the service was unable to send
a reply message. Please consider increasing the operation timeout (by casting the channel/proxy to IContextChannel
and setting the OperationTimeout property) and ensure that the service is able to connect

trying again results in:

MFA System Not registered !

• trying to open the MFA snapin or run Set-MFAFirewallRules -ComputersAllowed 'ADFS01, ADFS02'

Set-MFAFirewallRules : PS0033: This Cmdlet must be executed with ADFS Administration rights granted for the current
user !
At line:1 char:1we` receive the error "user is not allowed etc..

• we tried changing the mfa notification service to use the same account as adfs but that did not help, we tried adding the dbowner,dbsecurity permissions to our sql server for the adfs server computer accounts (for the AdfsArtifacts, AdfsConfiguration) (for the local service to have write access to the DB.

the adfs admin is part of the adfs security group, which is part of the local administrator group.

we use msql for the adfs farm not WID.

the mfa service was restarted when changing the adfs settings above.

DC's are on Server 2022, ADFS is on Server 2022

[redhook62]

I also use a managed account, I have no worries. Anyway, the component requires nothing special, it's just a plugin.
Having not really understood your concern, please check with the Wiki that you are OK.

[mastertIT]

these are the issues...

[redhook62]

Hi @mastertIT

Testing again, I thought I had the same issue as you. However, I confirm that it works correctly.
Do not run Register-MFASystem if you are upgrading from a previous version. or completely unregister the extension with UnRegister-MFASystem before uninstalling the old version.

Or using standard ADFS commands like this

Export-AdfsAuthenticationProviderConfigurationData -Name "MultifactorAuthenticationProvider" -FilePath c:\temp\mfa\3.1.xml

(Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $null

UnRegister-AdfsAuthenticationProvider -Name "MultifactorAuthenticationProvider" -Confirm:$false

Then you will be able to re-register the extension.
If all the prerequisites are respected, you should not have any errors.

Tested with ADFS 2022 and ADDS 2016

regards

[mastertIT]

new install of windows server 2022
installed ADFS
installed .net 4.8.1
installed MFA

FOLOWED THE GUIDE, READ AT LEAST 10 TIMES.

Still receive the

My user is setup as a local admin, my user is setup as a delegated adfs admin, still unable to register the system correctly or open the mmc plugin or run any of the powershell commands successfully...

keep getting the error while running your powershell commands that i'm not an adfs admin.
i'm able to open the ADFS management and do ADMIN tasks everywhere except in the MFA plugin.

i have not EVER gotten this working yet, not an existing setup, brand new.

[redhook62]

Hi, @mastertIT

Make sure the component is completely uninstalled from adfs (with instructions provided) NOT Registered.
Uninstall the binaries with the control panel.
Delete the MFA directory in \ProgramFiles
Reboot.

Reinstall the component
Register the Adapter
In case of problem, please, delete the system.db file in the \ProgramFile\MFA\Config directory.
If all this does not work, the problem is on your side.

regards

[mastertIT]

no system.db file is ever created.

reinstalled both adfs servers, added local admin, service admin to federation services options, added adfs administartors group.
added admin to this group.

installed mfa.msi.
tried to register mfa system. same errors.

is there another service that needs to start to open the 5987 port?
the MFA Hub service is running.

[redhook62]

Hi,The only service that listens on port 5987 is the MFA service (mfanotifhub).
When registering a farm, this service registers the component in ADFS and then creates the default configuration, copies this configuration into a config.db file, synchronizes this configuration on all ADFS servers in the farm (via port 5987 between servers).
Then, the ACLs for the rights are positioned on the MFA directories and a system.db file is created to store rights, and of course distributed to other ADFS servers.
So problem on localhost:5987, restart the MFA service
Restart-Service mfanotifhub.
If port 5987 is not open... you must suspend the firewalls during the configuration.

[redhook62]

Hi, All

We also have an ADFS 2022 version that works perfectly with a gMSA account.

1. you must send us all the logs (eventlogs) concerning MFA)
2. you must verify that the MFA service is started.
3. you must verify that the config.db and system.db files are created when the service is hard restarted.

Then your problem as for masterIT comes from your ADDS 2022 infrastructure.

• If you look in the eventlog and find an event ID 2000 entry:
  The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be used for communication because it is in the Faulted state.
  You need to reset your SChannel service, look here: Error decrypting - Crytographic error for user #294 (comment)

I remind you that the "Local System" account acts as a machine (which is registered in your domain) and as such, this account can request information from ADDS (such as the SID of an account)

For masterIT, it doesn't seem to have solved his problem for the system account, running the MFA service account with the same account as the ADFS (gMSA) service solved this problem.
However, this solution is not sustainable because the gMSA account cannot act as an operating system, and this will cause other problems (RSA encryption, AES, Certificates, etc.)

So, check your logs carefully, and especially if there is a problem starting the MFA Service, creating incorrect configuration files, find out where the problem comes from.

regards