Multi-Forest MFA: Unable to connect Master MFA Server
We are configuring multi-factor authentication for all our customer and if they are using Office 365 then Azure MFA is the new Gold. We figured out that there are few customers using same office 365 tenant together as multi-forest Hybrid.
All these customers were required to configure Multi-Factor Authentication for external access from the Internet. Hence, we were installing Azure MFA Server in on-Premises.
So, this time we are configuring Azure MFA in the multi-Forest Hybrid setup.
We were able to install Azure MFA successfully in Forest A.
When we tried to install Azure MFA in Forest B, we learned that Azure MFA Server will work in the Master – Slave setup where Master has writable copy and Slave has read-only copy.
We have two-way forest trust between these two Forest A and Forest B.
When we tried to open the Azure MFA Console, we got the following error where slave server can’t communicate with Master.
We got the following in the svc logs:
2017-01-25T05:26:40.912353Z|0|2360|2632|rpcDefibrillator|pre_throwRpcStatusCxxException() current seqN=26
2017-01-25T05:26:40.912353Z|0|2360|2632|rpcDefibrillator|Marking RPC connection seqN 26 suspect.
2017-01-25T05:26:40.912353Z|e|2360|2632|rpc|Access is denied. (0x00000005 = 5)
We got this popup during opening the Multi-Factor Server Application.
Cannot communicate with the master Multi-Factor Authentication Server on “Server FQDN”. The Multi-Factor Authentication Server user interface will now close.
No event in the event viewer.
We checked our network ports which were already open.
We checked the name resolution.
We checked ping and telnet.
Everything was open.
We added both Azure MFA Servers in the “PhoneFactor Admins” Group in both Forests but still no luck
Even restart of these servers didn’t help.
Microsoft recommended to keep both servers in one of the Forest’s “PhoneFactor Admins” Group and delete other Forest’s “PhoneFactor Admins” Group.
Point to be noted here is, we need to add cross-forest computer object to a Global Group. This is impossible.
So, we had to change the scope of the Forest A “PhoneFactor Admins” Group from ‘Global Group’ to ‘Domain local’.
Now when we added the computer object in the properties of the “PhoneFactor Admins” Group and deleted Forest B’s “PhoneFactor Admins” Group.
Then we restarted both the servers one by one.
We still got the issue. It was not resolved here. We got the following error in the log file.
“PhoneFactor Admins” Exists: False
Now when we checked the properties of the computer object, I could not find the “PhoneFactor Admins” Group listed in the member of. So, we created new global group named cross forest and added computer object in this global group. Then added this group into Forest B “PhoneFactor Admins” Group.
We still had the issue.
We added login user id of the Forest B into the cross-forest group which eventually added to the “PhoneFactor Admins” Group.
Now we were able to open the Multi-Factor Authentication Server console in the Forest B. We started configuring the portals.
After configuring the Mobile Portal, we had to test the TestPfWsSdkConnection and TestSecurity at the URL https://ExternalDomain/MultiFactorAuthMobileAppWebService.
TestSecurity was successful but TestPfWsSdkConnection gave me the error “Error communicating with the local Multi-Factor Authentication service. Please contact your administrator.”
We could also see that “PhoneFactor Admins” Group was recreated in the Forest B.
We also got the error “Main_Load catch: Cannot access a disposed object. Object name: ‘Main‘“
We could figure it out that there is a permissions issue which should give the permission to the Forest B’s user.
We added the following to the “cross forest” group membership in the Forest B. Remember cross forest group was added to the “PhoneFactor Admins” Group in the Forest A
Azure MFA Slave Server
Forest B’s PhoneFactor Admins
Logoff and login back on the Forest B’s Azure MFA server and everything started working.
CTO @ Golden Five