Microsoft ADFS
Introduction¶
The purpose of this integration document is to provide guidelines on how to integrate Mideye two-factor authentication with Microsoft Active Directory Federation Service.
- Implemented a new .NET Radius Client.
- Fixed a bug where registry values were incorrect.
Prerequisites & general issues¶
Requirements¶
A Mideye Server (any release). If there is a firewall between the ADFS-server and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). ADFS acts as a RADIUS client towards the Mideye Server. Hence, the ADFS-server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.
Supported ADFS-versions are Windows Server 2012R2, 2016 and 2019.
Prerequisites¶
This guide will not explain how to setup ADFS. Refer to Microsoft-documentation how to configure ADFS before proceeding with this integration document.
Remove any existing versions of Mideye ADFS module¶
Before installing a new version of the module, any existing module must be uninstalled. Complete the following steps to remove older versions of the ADFS-module.
Open ADFS management console and navigate to access control policies. Remove all relaying parties from any MFA policies.
Navigate to Authentication Method and click Edit next to Multi-factor authentication methods.
Uncheck the Mideye ADFS-module and click OK.
Open Control Panel and navigate Remove/Add programs. Uninstall the Mideye ADFS module.
To make sure that all register keys are removed from any older versions, open Powershell as an administrator and type Unregister-AdfsAuthenticationProvider -Name Mideye.ADFS -Confirm:$false
Installing the ADFS module¶
Run the ADFS-package as an administrator.
Enter the IP-address(es) to the Mideye Server and specify the UDP-port (Default udp/1812). Type the shared secret that should be used between the RADIUS-client (ADFS) and the Mideye Server. Allow at least 35 seconds as timeout to make sure that any fallback method have enough time before timing out. Multiple RADIUS-servers can be configured.
Choose language for informational / error messages and finish the installation.
Enable the module¶
Open the ADFS management console and navigate to Authentication Method and click edit next to multi factor authentication methods. Enable the MFA-method and click OK.
Navigate to Access control policies and move any relaying party to use MFA.
Create RADIUS-client¶
Refer to configuration guide (Mideye Server 4) and Reference Guide (Mideye Server 5), how to create a new RADIUS-client on the Mideye Server.
Mideye Server 4¶
On the created RADIUS-client, navigate to Client configuration and remove the “Check static password”. This check is not necessary since ADFS will perform a username and password check before allowing an authentication.
Remove check static password
Mideye Server 5¶
Open Mideye Web-GUI and navigate to “Configuration” followed by RADIUS-clients. Select Edit on the new RADIUS client and click the “Client Configuration” tab. Check the checkbox for “Ignore password”.
Make sure that “Ignore Password” is selected
Customise error messages, language and Serverlist¶
To change language and customise informational / error messages, open Mideye ADFS configuration editor. To customise any field, check the Custom edit button and make any changes followed by Save.
To add/remove/edit the RADIUS-server list open the tab Client settings and check the Custom edit button. Make any changes followed by Save.
Troubleshooting¶
Permissions¶
If any event-viewer logs with error codes are showing up with the text System.AggregateException: One or more errors occurred. —> System.Exception: Could not connect to regedit.
This means that the permission for the service account used by ADFS, was not executed correctly during installation. To resolve this issue, navigate to Program files \ Mideye and run the editor as an administrator. Click the Permission tab followed by “Add Permissions”. This must be executed on all ADFS-servers in the farm.
Failover¶
When more than one Mideye-server is specified in the RADIUS-server list, the module will always try with the one on top of the list. If the first Mideye Server do not respond, the next in the list will automatically be moved up to the top. The failed Mideye Server will be placed in the bottom.
Check RADIUS-logs¶
Check if anything is written to the Mideye RADIUS logs
If nothing is logged, verify that udp/1812 is allowed between your ADFS server and Mideye Server. Also, check Event viewer for logs on the ADFS-server.