MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Azure MFA: Twice MFA for MAC Users

We have deployed the Microsoft Azure MFA in the customer infrastructure. Everything was working fine. MAC users reported Twice MFA. Let us see how did we fix it.

Azure MFA is working as expected. Users will accept and will agree to follow all the steps if it is a security requirement.

At the same time, twice MFA within few seconds can be annoying and frustrating for the users.

Issue:

Azure MFA is working as expected for the users on windows computers and tablets. MAC users were getting 2 MFA phone, txt or app verification prompts.

Resolution:

-Issue looked little strange so reported this to Microsoft.

-Microsoft recommended checking if there are 2 authentications coming to the Azure MFA.

-Logged in to the Azure MFA server and went to the following path

“C:\Program Files\Multi-Factor Authentication Server\Logs”

-Open the MultiFactorAuthRadiusSvc.log file

-2 login request came as shown below.

2017-02-14T02:57:19.234778Z|0|1412|6452|pfrad|Calling pfAuthUser(‘Domain\pnigam’, ”, 1)
2017-02-14T02:57:24.600871Z|0|1412|6452|pfrad|authResult = 1
2017-02-14T02:57:24.600871Z|0|1412|6452|pfrad|rawCallStatus = 21

-This clarifies that there is no bug or issue, in fact, there are 2 authentication requests are coming.

-Yes, on MAC, there was no direct RDP happening and there is no way to do it. When I continue to stare my MacBook 12″. I was able to see 2 logins were happening.

-For customer and me the issue stands the same, users won’t like to do MFA twice within few second.

-The workaround to avoid the multiple logins in quick time is to add cache entry in the Azure Portal by following the below-mentioned steps from here.

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next#caching-in-azure-multi-factor-authentication


-After configuring the cache, user was prompted only once.

-Checked the MultiFactorAuthRadiusSvc.log file

2 login were coming but they had different rawCallStatus. First one had rawCallStatus = 21 and Second one had rawCallStatus = 6

2017-02-14T02:57:56.986251Z|0|1412|10088|pfrad|Calling pfAuthUser(‘Domain\pnigam’, ”, 1)
2017-02-14T02:57:57.550306Z|0|1412|10088|pfrad|authResult = 1
2017-02-14T02:57:57.550306Z|0|1412|10088|pfrad|rawCallStatus = 6

-Let me decode the code. The below table tells the code description. 21 is Mobile App Authenticated and 6 is Used Cache. Which was just perfect. This table can be very useful in troubleshooting for the security team.

Code Description
1 PIN Entered
2 No PIN Entered
3 # Not Pressed After Entry
4 No Phone Input – Timed Out
5 PIN Expired and Not Changed
6 Used Cache
7 Bypassed Auth
8 Used Cache
9 Used Cache
10 Call Disconnected
11 Call Timed Out
12 Invalid Phone Input
13 Got Voicemail
14 User is Blocked
15 Status Pending
16 Voiceprint Succeeded
17 Voiceprint Enrolled
18 Voiceprint Expired and Not Changed
19 Text Message Authenticated
20 Text Message Sent
21 Mobile App Authenticated
22 OATH Code Pending
23 OATH Code Verified
24 Fallback OATH Code Verified
25 Fallback Security Questions Answered
100 Invalid Phone Number
101 Auth Already In Progress
102 Phone Unreachable
103 International Calls Not Allowed
104 PIN Mode Not Allowed
105 Account Locked
106 Invalid Message
107 Invalid Phone Number Format
108 User Hung Up the Phone
109 Insufficient Balance
110 Phone Extensions Not Allowed
111 Invalid Extension
112 Fraud Code Entered
113 Rollover Not Allowed
114 Return PIN Mode Not Allowed
115 Event Confirmation Not Allowed
116 Invalid Event Parameter
117 Unable to Place Call
118 Voiceprint Failed
119 Voiceprint Mode Not Allowed
120 Text Message Could Not Be Sent
121 No Text Message Reply Received
122 Text Message OTP Incorrect
123 Text Message OTP + PIN Incorrect
124 Text Message Mode Not Allowed
125 Localization Not Allowed
126 User Licenses Exceeded
127 Text Message User Licenses Exceeded
128 Voiceprint User Licenses Exceeded
129 Mobile App Denied
130 Mobile App Invalid PIN
131 Mobile App PIN Not Changed
132 Fraud Reported
133 Mobile App No Response
134 Mobile App Mode Not Allowed
135 Mobile App All Devices Blocked
136 Mobile App Notification Failed
137 Mobile App Invalid Result
138 OATH Code Incorrect
139 Duplicate OATH Code
140 OATH Code Out Of Date
141 OATH Token Mode Not Allowed
-100 Skipped Call
-101 User Not Found
-102 User Disabled
-103 User Incomplete
-104 Trusted IP

So, we implemented this workaround but we ensured to add the Authentication Type, Application Name, and IP so that the cache only applies to the same IP.

 

Prabhat Nigam

CTO @ Golden Five

Team@MSExchangeGuru

Leave a Reply

migrate exchange to office 365

Categories

Archives