Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2016-05-12) Upgrading The MFA Server Components From v6.3.0 To v7.0.0

Posted by Jorge on 2016-05-12


Microsoft released a newer version (v7.0.0.0) of the on-premises Azure AD MFA server a while back. If you are currently using v6.3.0, then this blog post will help you upgrade from v6.3.0 to v7.0.0.

First download the latest version of the Azure MFA Server installation program “MultiFactorAuthenticationServerSetup.exe”

  1. Navigate to https://manage.windows.azure.com/ and login with your administrator credentials
  2. On the navigation bar on left click on “All Items”
  3. On the main screen click on the directory item
  4. At the top of the screen click on the item called “Configure”
  5. Scroll to the section called “Multi-Factor Authentication”
  6. Within that section click on “Manage Service Settings” (a new tab opens)
  7. At the bottom of the screen click on “Go To The Portal” (a new tab opens)
  8. Somewhere in the middle of the screen click on “Downloads”
  9. Somewhere in the middle of the screen click on “Download” to download the latest version of the Azure MFA Server installation program

REMARK: If this would be a first time installation, you would also need the activation credentials by clicking on “Generate Activation Credentials”. During the upgrade the Activation Credentials are not needed.

Move the downloaded file to the servers already running the Azure AD MFA Server bits.

Execute the following actions on every Azure AD MFA server you have. Start with the primary/master server, and when fully finished, move to the next secondary Azure AD MFA server. By the way, this does assume all Azure AD MFA server components (MFA server, Web Service SDK, User Portal and Mobile App Service) are installed on the same server, whether you have just one server or multiple servers.

Start the MFA admin console. Then click on the Status icon on the left at the top to see which servers exist. Write down the list of MFA servers

image

Figure 1: The MFA Admin Console Showing The Status Of Every MFA Server

Execute the following actions on every MFA server, but do it one at a time in the order explained below!

Hotfix Pre-Requisite

Make sure the hotfix MS-KBQ2919355 has been installed already. If not installed it first!

To check if the hotfix is already installed or not, execute:

Get-HotFix -Id KB2919355

image

Figure 2: Checking If The Hotfix MSKB-Q2919355 Is Installed

Installing The MFA Server Bits

Double-click on “MultiFactorAuthenticationServerSetup.exe”

You will see the warning regarding the hotfix MS-KBQ2919355.

Click [OK] to continue

image

Figure 3: Warning Regarding The Hotfix MSKB-Q2919355 Requirement

If “Visual C++ Redistributable for Visual Studio 2015 Update 1” is not installed you will see the following screen.

If your MFA servers are only allowed to connect to Azure AD for the Azure AD MFA service and you cannot connect to other URLs, download the “Visual C++ Redistributable for Visual Studio 2015 Update 1” (both x86 and x64!) yourself from https://www.microsoft.com/en-us/download/details.aspx?id=49984.

Click [Install].

image
Figure 4: Warning About The Pre-Requisite Installation Of “Visual C++ Redistributable For Visual Studio 2015 Update 1”

Check “I Agree To The License Terms And Conditions”

Click [Install].

image

Figure 5: Warning About The Pre-Requisite Installation Of “Visual C++ Redistributable For Visual Studio 2015 Update 1” (x64)

Click [Close].

image

Figure 6: Finishing The Installation Of “Visual C++ Redistributable For Visual Studio 2015 Update 1” (x64)

Check “I Agree To The License Terms And Conditions”

Click [Install].

image

Figure 7: Warning About The Pre-Requisite Installation Of “Visual C++ Redistributable For Visual Studio 2015 Update 1” (x86)

Click [Close].

image

Figure 8: Finishing The Installation Of “Visual C++ Redistributable For Visual Studio 2015 Update 1” (x86)

Click [Next >].

image

Figure 9: Starting The Install Of The Azure AD MFA Server Bits

Click [Finish].

image

Figure 10: Finishing The Install Of The Azure AD MFA Server Bits

The MFA Admin Console will start and show the following message If the user portal is installed

Click [No].

image

Figure 11: Notification About A Newer Version Of The User Portal

…and show the following message If the web service SDK is installed

Click [No].

image

Figure 12: Notification About A Newer Version Of The Web Service SDK

Close the MFA admin console

Updating The Web Service SDK

Navigate to the folder “C:\Program Files\Multi-Factor Authentication Server” (=default location) and double-click on “MultiFactorAuthenticationWebServiceSdkSetup64.msi”

Make sure to select the correct web site, the correct virtual directory and the correct application pool. If you are uncertain, Open up IIS Manager, select the correct virtual directory/application and through the advanced settings check the correct settings FIRST!!!

Click [Next>]

image

Figure 13: Configuring The Web Service SDK Installation

Click [Close]

image

Figure 14: Finishing The Installation Of The Web Service SDK

Update the User Portal

Navigate to the folder “C:\Program Files\Multi-Factor Authentication Server” (=default location) and double-click on “MultiFactorAuthenticationUserPortalSetup64.msi”

Make sure to select the correct web site, the correct virtual directory and the correct application pool. If you are uncertain, Open up IIS Manager, select the correct virtual directory/application and through the advanced settings check the correct settings FIRST!!!

Click [Next>]

image

Figure 15: Configuring The User Portal Installation

Click [Close]

image

Figure 16: Finishing The Installation Of The User Portal

Update the Mobile App Web Service

Navigate to the folder “C:\Program Files\Multi-Factor Authentication Server” (=default location) and double-click on “Double-click on MultiFactorAuthenticationMobileAppWebServiceSetup64.msi”

Make sure to select the correct web site, the correct virtual directory and the correct application pool. If you are uncertain, Open up IIS Manager, select the correct virtual directory/application and through the advanced settings check the correct settings FIRST!!!

Click [Next>]

image

Figure 17: Configuring The Mobile Web App Web Service

Click [Close]

image

Figure 18: Finishing The Installation Of The Mobile Web App Web Service

Configuring Applications Pools

After the installation when you open IIS manager and check the application pools, you will see the following new application pools (or similar) with the same account as the previous application pools:

  • ASP.NET v4.0 MultiFactorAuthWebServiceSdk
  • ASP.NET v4.0 MultiFactorAuthUserPortal
  • ASP.NET v4.0 MultiFactorAuthPhoneAppWebService

Select the virtual directory/application “MultiFactorAuthWebServiceSdk”, click Advanced Settings on the right. Click on “Application Pool” at the top and select the application pool “ASP.NET v4.0 MultiFactorAuthWebServiceSdk”

Select the virtual directory/application “MultiFactorAuthUserPortal”, click Advanced Settings on the right. Click on “Application Pool” at the top and select the application pool “ASP.NET v4.0 MultiFactorAuthUserPortal”

Select the virtual directory/application “MultiFactorAuthPhoneAppWebService”, click Advanced Settings on the right. Click on “Application Pool” at the top and select the application pool “ASP.NET v4.0 MultiFactorAuthPhoneAppWebService”

Restart the “Default Web Site”.

Now update all other MFA servers, one at a time and in the same order as explained above!

Updating The ADFS Adapter

On one of the Azure AD MFA servers, navigate to the folder “C:\Program Files\Multi-Factor Authentication Server” (=default location) and copy the files “MultiFactorAuthenticationAdfsAdapterSetup64.msi” and“MultiFactorAuthenticationAdfsAdapter.config” to all ADFS servers!

The following actions will have a negative impact on the Azure AD MFA Provider within ADFS. It will not impact ADFS itself, but any application configured to enforce MFA whereas the users must use Azure AD MFA is not possible until everything has finished!!! THEREFORE PLAN THIS ACCORDINGLY!!!

REMARK: you may have seen the suggestion on other blog posts to remove the ADFS server from the farm to lower the impact. Do not do that! That will impact ADFS itself, and it you only have one ADFS server your farm will die!

First you need to understand if you are using WID or SQL. And if you are using WID, you need to find the primary ADFS server.

To understand if you are using WID or SQL see: (2014-03-17) Gathering Architectural Details From Your ADFS Infrastructure – ADFS Config DB On WID Or SQL

When using WID, to find your primary server see: (2014-03-19) Gathering Architectural Details From Your ADFS Infrastructure – WID Primary Computer Or Not

We need to unselect and unregister the previous ADFS adapter

Using WID?: Execute on primary ADFS server and wait at least 5 minutes to allow WID replication to take place and finish

Using SQL?: Execute on any ADFS server

# Unselecting The Use Of Azure AD MFA Adapter To Be Listed
$listOfCurrentMFAProviders = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
$listOfNewMFAProviders = $listOfCurrentMFAProviders
$listOfNewMFAProviders.Remove("WindowsAzureMultiFactorAuthentication")
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $listOfNewMFAProviders

# Unregistering The Azure AD MFA Adapter Within ADFS
Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthentication

DO NOT restart the ADFS service as requested!

Again, execute the following on every ADFS server, starting with the primary if you are using WID, and if you are using SQL just pick a first ADFS server. After that, repeat on every other ADFS server.

If “Visual C++ Redistributable for Visual Studio 2015 Update 1” is not installed you will need to install it first before continuing. Unlike the Azure AD MFA server bits, the ADFS adapter v7.0.0 does not perform a pre-requisite check and does not offer to install the pre-requisites. Without it, the complete installation will succeed. However, as soon as you restart the ADFS service, the ADFS Admin logs will have errors while loading the new MFA provider due to files not found.

Navigate to https://www.microsoft.com/en-us/download/details.aspx?id=49984 and download the “Visual C++ Redistributable for Visual Studio 2015 Update 1” (both x86 and x64!). Move both files to every ADFS server you have.

Navigate to the folder you moved the “Visual C++ Redistributable for Visual Studio 2015 Update 1” (both x86 and x64!) to, and double-click on “VC_redist.x64.exe”. You will see the same screens as figure 5 and 6.

Navigate to the folder you moved the “Visual C++ Redistributable for Visual Studio 2015 Update 1” (both x86 and x64!) to, and double-click on “VC_redist.x86.exe”. You will see the same screens as figure 7 and 8.

Navigate to the folder you moved the “MultiFactorAuthenticationAdfsAdapterSetup64.msi” to, and double-click on “MultiFactorAuthenticationAdfsAdapterSetup64.msi”. This will replace the pervious adapter files and that’s OK. If you receive a notification the files are in use by the “Active Directory Federation Service”, then click continue.

Click [Next >]

image

Figure 19: Starting The Installation Of The ADFS Adapter For Azure AD MFA

Click [Close]

image

Figure 20: Finishing The Installation Of The ADFS Adapter For Azure AD MFA

Now update all other ADFS servers, one at a time and in the same order as explained above!

Using WID?: EDIT The file “MultiFactorAuthenticationAdfsAdapter.config” on the primary ADFS server

Using SQL?: EDIT The file “MultiFactorAuthenticationAdfsAdapter.config” on any ADFS server

On the first yellow marked line, configure as true

On the second yellow marked line, configure the URL to the Azure AD MFA Web Service SDK

On the third yellow marked line, configure the account (DOMAIN\SAMACCOUNTNAME) the user portal is also using in its web.config

On the fourth yellow marked line, configure the password of the account above the user portal is also using in its web.config

Save the file

image

Figure 21: Editing The file “MultiFactorAuthenticationAdfsAdapter.config”

Now we need to register the new ADFS adapter

# Registering The Azure AD MFA Adapter Within ADFS
$typeName = "pfadfs.AuthenticationAdapter, MultiFactorAuthAdfsAdapter, Version=7.0.0.9, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
Register-AdfsAuthenticationProvider -TypeName $typeName -Name AzureMfaServerAuthentication  -ConfigurationFilePath "MultiFactorAuthenticationAdfsAdapter.config"

DO NOT restart the ADFS service as requested!

If you previously configured a custom display name and a description for the Azure AD MFA adapter then do that also now. Replace the yellow marked text below with what you need/want

Set-AdfsAuthenticationProviderWebContent -Name "AzureMfaServerAuthentication" -DisplayName "Azure AD MFA AuthN" -Description "Phone Call, SMS, Software Based OTP Or Push Message Verified Authentication By Azure AD"

Now we need to select the new ADFS adapter

# Selecting The Use Of Azure AD MFA Adapter To Be Listed
$listOfCurrentMFAProviders = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
$listOfNewMFAProviders = $listOfCurrentMFAProviders + "AzureMfaServerAuthentication"
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $listOfNewMFAProviders

If you are using WID, wait first at least 5 minutes and then execute the command below (this allows WID replication to have taken place)

If you are using SQL, execute the following on any ADFS server (no need to wait as with WID)

Restart The ADFS Service

Restart-Service ADFSSRV -Force

Check the ADFS Admin Event for any error (when using WID you can expect to see an error regarding the unavailability of Artifact Resolution)

When everything is OK, you should be able to use the Azure AD MFA Adapter in ADFS

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: