Login Password issue

[antonsockov]

Hi there!

I have a new just created ADFS and trying to install adfsmfa

I have this event sequence in a "Applications" eventlog 5100 5100 5100 5000 801 after each login attempt

Here is 801 error:
Ошибка загрузки Регистрация пользователей!
System.Exception: Неверное имя пользователя или пароль.
в Neos.IdentityServer.MultiFactor.Data.ADDSDataRepositoryService.GetMFAUser(String upn)
в Neos.IdentityServer.MultiFactor.RuntimeRepository.GetMFAUser(MFAConfig cfg, String upn)
в Neos.IdentityServer.MultiFactor.AuthenticationProvider.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)

Ofcourse entered credentials are correct

I suppose tahat problem is in non equal domains part of email and UPN. Here is user fields:

mail : adfstest@test.com
msDS-cloudExtensionAttribute11 : adfstest@test.com
sAMAccountName : adfstest
userPrincipalName : adfstest@local.com

My ADFS able to autorize user on email, so in my case it doen't matter what domain was specified by user @local.com or @test.com

I tryed to use as login adfstest@local.com adfstest@test.com and adfstest with no result

I suppose the problem somewhere around that place

Please help me

[redhook62]

Hi @antonsockov

Sorry,

Can you give me more information about your configuration?
Are you in ADDS or SQL?
Have you provided configuration information for the ADDS Or SQL “Super User”.
Is this a problem with emails?
Or simply a problem during login? in which case, maybe it’s just a matter of refreshing your DNS?

Regards

[antonsockov]

Hi @redhook62

My configuration is in ADDS mode
Yes, I've provided Super User info and adfsmfa sucsesfuly stores information in AD

It's problem on login, on 2fa step of test user, no matter what i use as login: mail or sAMAccountName or userPrincipalName

(Sorry, I use google objective to translate the screenshot)

Authentication on first step is always successful with provided credentials. After that this happens.

[redhook62]

Hi @antonsockov

indeed, it is impossible to access ADDS.
Check that the account used is valid and also that the TCP ports are open for ldap (389 and 636) on your domain controllers, because access to ADDS is linked to ldap

regards

[antonsockov]

Hi @redhook62

Each ADDS server is availible on 389 (ssl is not in use)
Account also valid

[redhook62]

I have no idea for you, it's very weird.
I can only recommend that you carefully check the prerequisites as well as the adequacy of your infrastructure,
I put all this in the ideas perhaps someone will have an answer for you.

regards

[redhook62]

Hi @antonsockov

The last thing I can recommend is to "clean up" the ADDS attributes used by MFA for your affected users.
Changing the encryption elements invalidates all stored user keys

Последнее, что я могу порекомендовать, — это «очистить» атрибуты ADDS, используемые MFA для затронутых пользователей.
Изменение элементов шифрования делает недействительными все сохраненные ключи пользователя.

regards

[antonsockov]

Hi @redhook62

This failure makes me mad and I reinstalled adfsmfa from the begining, but this time I use SQL configuration
I also delete test user and create it again to avoid any possible problems with data stored in ADDS attributes
SQL base was successfully created from mmc console via "Create data base" button on SQL server configuration tab
At this time all tables in base are empty (checked via MS SQL Server management Studio)

When test user tries to login new type of error occurs

In a "Applications" eventlog: error 801
Ошибка загрузки Регистрация пользователей!
System.ArgumentException: Длина значения для ключа "password" превышает его ограничение, установленное для "128".
в System.Data.SqlClient.SqlConnectionString..ctor(String connectionString)
в System.Data.SqlClient.SqlConnectionFactory.CreateConnectionOptions(String connectionString, DbConnectionOptions previous)
в System.Data.ProviderBase.DbConnectionFactory.GetConnectionPoolGroup(DbConnectionPoolKey key, DbConnectionPoolGroupOptions poolOptions, DbConnectionOptions& userConnectionOptions)
в System.Data.SqlClient.SqlConnection.ConnectionString_Set(DbConnectionPoolKey key)
в System.Data.SqlClient.SqlConnection.set_ConnectionString(String value)
в System.Data.SqlClient.SqlConnection..ctor(String connectionString, SqlCredential credential)
в Neos.IdentityServer.MultiFactor.Data.SQLDataRepositoryService.GetMFAUser(String upn)
в Neos.IdentityServer.MultiFactor.RuntimeRepository.GetMFAUser(MFAConfig cfg, String upn)
в Neos.IdentityServer.MultiFactor.AuthenticationProvider.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)

@redhook62 Any ideas?

[redhook62]

Hi, @antonsockov

I told you before, I didn't even understand if it's when doing MFA or when you connect.

If it is a question of authenticating with MFA and for example totp, be aware that the key is encrypted by multiple algorithms, and includes your upn.
So, it may be possible that there is a problem on this side.

But as your information is very brief, I cannot say more.

At least, send your configuration (with the latest version of MFA and with the -ForDebug switch), and also the upns of the different users who are causing problems.

Use the email address indicated in the sources in the header.

regards

[antonsockov]

Hi @redhook62

Here is exported configs
mfa.txt

Upn looks like

In fact error from previous message occurs at any successful login attempt of any user on first step

[redhook62]

Hi, @antonsockov

It still seems that you are on the ADFS Login/Password, and in this case MFA is not even used (your screen is in Russian...).
So the only thing I can tell you is that your configuration is normal. but in any case the MFA is not yet requested...

So, check your ActiveDirectory accounts, passwords, locking, password expiration and the fact that ADFS is well "wired" with a read and write domain controller if you want to store MFA information in ADDS .
ADFS can authenticate against RODC, if the user password is cached on RODC.
The ADFS server will need access to the writable DCs when there is a configuration change in ADFS like the Token signing certificate rollover or many other things like password change.