Multifactor authentication with Azure MFA server failing
I have configured multifactor authentication, but PMP is returning errors. Here's an overview:
SSO with Active Directory is configured in PMP, but turning it off makes no difference to the errors
I use Multi-Factor Authentication Server (the Phonefactor replacement - confirmed as supported)
I installed the web SDK on my MFA server and signed it with my PKI
When first setting up the Phonefactor Agent Authentication Credentials in PMP's 2FA section it failed to configure, after adding my root CA to be trusted by PMP it gave me a "successful" message (that's for configuration of course, not that the thing actually works...)
Within Multi-factor Authentication server, I can perform a test call to the account I'm trying to authenticate with
However, when I actually configure 2FA for a user and try to log in, it fails. The browser doesn't even get a message, just freezes (unless I turn off SSO, in which case after entering the password I get a ~30 sec wait before it fails).
The log files don't tell me exactly what's going on (obviously I've sanitized my prod data out here):
The phonefactor username correctly matches the username I'm trying to authenticate to in MFA
In the PMP log, there is a 22 second delay between the "error message" line and the actual sending of the message to the MFA server:
[09:16:40:398]|[05-30-2016]|[com.adventnet.passtrix.twofactor.PhoneTwoFactorPassword]|[FINER]|[87]: UserName of the Phonefactor agent resource::ACME\WebMFA-Service|
[09:16:40:399]|[05-30-2016]|[com.adventnet.passtrix.twofactor.PhoneTwoFactorPassword]|[FINER]|[87]: PhoneFactor UserName of the user to be authenticated:: test.user@acme.com|
[09:16:48:474]|[05-30-2016]|[com.adventnet.passtrix.service.PassTrixService]|[FINER]|[72]: Starting high availability status check thread......|
[09:16:48:474]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Checking high availability status......|
[09:16:48:474]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: PMP Master Server : true|
[09:16:48:476]|[05-30-2016]|[com.adventnet.passtrix.client.util.ClientUtil]|[INFO]|[72]: getSlaveHost - conf file does not exists ..\pgsql\bin\Primary.conf|
[09:16:48:477]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Current IO status : -1|
[09:16:48:477]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Current SQL status : 1|
[09:16:48:477]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Previous IO status : -1|
[09:16:48:478]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Previous SQL status : 1|
[09:16:48:478]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: IO flag : -1|
[09:16:48:478]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: SQL flag : -1|
[09:16:48:478]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Error Message : |
[09:17:10:600]|[05-30-2016]|[com.adventnet.passtrix.twofactor.PhoneTwoFactorPassword]|[INFO]|[87]: Message Sent to PHONEFACTOR. Waiting for Response...|
[09:17:10:602]|[05-30-2016]|[com.adventnet.passtrix.twofactor.PhoneTwoFactorPassword]|[INFO]|[87]: Response received|
[09:16:40:399]|[05-30-2016]|[com.adventnet.passtrix.twofactor.PhoneTwoFactorPassword]|[FINER]|[87]: PhoneFactor UserName of the user to be authenticated:: test.user@acme.com|
[09:16:48:474]|[05-30-2016]|[com.adventnet.passtrix.service.PassTrixService]|[FINER]|[72]: Starting high availability status check thread......|
[09:16:48:474]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Checking high availability status......|
[09:16:48:474]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: PMP Master Server : true|
[09:16:48:476]|[05-30-2016]|[com.adventnet.passtrix.client.util.ClientUtil]|[INFO]|[72]: getSlaveHost - conf file does not exists ..\pgsql\bin\Primary.conf|
[09:16:48:477]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Current IO status : -1|
[09:16:48:477]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Current SQL status : 1|
[09:16:48:477]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Previous IO status : -1|
[09:16:48:478]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Previous SQL status : 1|
[09:16:48:478]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: IO flag : -1|
[09:16:48:478]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: SQL flag : -1|
[09:16:48:478]|[05-30-2016]|[com.adventnet.passtrix.utils.HAUtils]|[FINEST]|[72]: Error Message : |
[09:17:10:600]|[05-30-2016]|[com.adventnet.passtrix.twofactor.PhoneTwoFactorPassword]|[INFO]|[87]: Message Sent to PHONEFACTOR. Waiting for Response...|
[09:17:10:602]|[05-30-2016]|[com.adventnet.passtrix.twofactor.PhoneTwoFactorPassword]|[INFO]|[87]: Response received|
The IIS logs on the MFA server are at the same time as the "Message Sent to PHONEFACTOR":
2016-05-30 21:17:10 W3SVC1 ACMEMFASERVER 192.168.61.26 POST /MultiFactorAuthWebServiceSdk/PfWsSdk.asmx - 5001 ACME\WebMFA-Service 192.168.61.26 HTTP/1.1 Java/1.7.0_71 - - ACMEMFASERVER:5001 200 0 0 906 823 30142
The MFA log usually (but not always) shows the following:
2016-05-24T04:23:11.157904Z|e|6268|9628|credStore|Couldn't read credential identified by 'PfSmtp'. Element not found. (0x00000490 = 1168)
2016-05-24T04:23:11.157904Z|e|6268|9628|credStore|Couldn't read credential identified by 'PfSmtp'. Element not found. (0x00000490 = 1168)
I see errors like this too in the MFA log, but not every attempt (rpc callback could even be normal?)
2016-05-24T04:23:43.478553Z|0|6268|9628|rpcIfCallback,rpcServer|ifc=2d4baaca-d42b-4461-99db-da9db1b9fa80, context=0x00000000023B6080
2016-05-24T04:23:43.482542Z|e|6268|9628|iisabo|WMI error: -2147217394
2016-05-24T04:23:43.478553Z|0|6268|9628|rpcIfCallback,rpcServer|ifc=2d4baaca-d42b-4461-99db-da9db1b9fa80, context=0x00000000023B6080
2016-05-24T04:23:43.482542Z|e|6268|9628|iisabo|WMI error: -2147217394
The actual attempt above with the delay I only had the following return (the one about the group resolution is new):
2016-05-29T21:17:10.148154Z|0|1584|5212|rpcIfCallback,rpcServer|ifc=abf64e16-06dc-46b4-8581-334c29d09e7a, context=0x00000000011E9540
2016-05-29T21:17:10.202166Z|0|1584|1500|rpcIfCallback,rpcServer|ifc=80ee1ff2-b056-45f6-8c0f-c141a7e62c95, context=0x00000000011E9540
2016-05-29T21:17:10.214193Z|i|1584|1500|pfsvc|Resolved group 'PhoneFactor Admins@acme.com' for group-based auth.
2016-05-29T21:17:10.148154Z|0|1584|5212|rpcIfCallback,rpcServer|ifc=abf64e16-06dc-46b4-8581-334c29d09e7a, context=0x00000000011E9540
2016-05-29T21:17:10.202166Z|0|1584|1500|rpcIfCallback,rpcServer|ifc=80ee1ff2-b056-45f6-8c0f-c141a7e62c95, context=0x00000000011E9540
2016-05-29T21:17:10.214193Z|i|1584|1500|pfsvc|Resolved group 'PhoneFactor Admins@acme.com' for group-based auth.
I'm totally clueless on where to go to next? None of the logs are giving me any kind of indication what the actual problem is.