Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2016-09-13) Failing To Activate Mobile App Against The On-Premises Azure AD MFA Server

Posted by Jorge on 2016-09-13


You have setup the Azure AD MFA server, the Azure AD MFA User Portal, the Azure AD MFA MFA Mobile App Web Service and the Azure AD MFA Web Service.

You logon to the Azure AD MFA User Portal and then click on “Activate Mobile App” on the left side of the screen. In addition you click on [Generate New Activation Code] and you will see a screen similar to the one below

image

Figure 1: Activating The Azure AD MFA Mobile App Through A Secure Web URL And A One-Time Activation Code

On your mobile phone, you can now either choose specify the information yourself or you can just scan de QR-code. Whichever method you choose, you will see a similar message on your mobile phone as the one shown below. You can try as many times as you want, but unfortunately that will not help.

image

Figure 2: Activation Error On Your Mobile Phone

Activation failed. Please verify you have network connectivity and check the URL to ensure it is correct.

Error details: The operation couldn’t be completed. (Fault error –1.)

This error basically tells you something is wrong with the URL displayed previously on screen. The rest of the error is rather useless.

As the authenticator app will hit the mobile app web service URL, it is a good idea to put that URL in a browser to see what happens.

As soon as you do you might see the following error.

image

Figure 3: IIS Server Error For The MultiFactorAuthMobileAppWebService Application

Now this is something you can work with! Something appears to be wrong in the “web.config” of the MultiFactorAuthMobileAppWebService Application, so that is where you should look

image

Figure 4: The “web.config” Of The MultiFactorAuthMobileAppWebService Application WITHOUT The Required Key

So just before “</appSettings>”, add the following line

<add key="WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_THUMBPRINT" value=""/>

…so that it looks like the following

image

Figure 5: The “web.config” Of The MultiFactorAuthMobileAppWebService Application WITH The Required Key

When done, save the “web.config” of the MultiFactorAuthMobileAppWebService

Now you retry the URL in the browser and you should see something like…

image

Figure 6: The MultiFactorAuthMobileAppWebService Application Now Working Correctly

On your mobile phone, you can now retry the activation by either choosing to specify the information yourself or by just scanning de QR-code. Whichever method you choose, you should not succeed in activating the mobile app.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

One Response to “(2016-09-13) Failing To Activate Mobile App Against The On-Premises Azure AD MFA Server”

  1. Briljant Jorge, We just had the same issue.
    Upgrade on prem MFA to version 7.1.2 Microsoft add’s a key with an empty default value, but without the (EMPTY) value IIS doesn’t work. Nice design ;-((
    We figured out the solutions, after that we googled “WEB_SERVICE_SDK_AUTHENTICATION_CLIENT_CERTIFICATE_THUMBPRINT key not present MFA 7” and we just found only your site. So microsoft hasn’t figured it out yet…
    We always cann’t imaging that we’re the only one with a certain problem, so thanks for your post

    Keep up the good work

    Eric
    (if it ain’t broke there is nothing to fix; and if you don’t test a new product/version you always start without errors/problems)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: