ADFS 2019 install issue

[deknevel]

Good day, first of all thanks for providing a ADFS adapter for YubiKeys. I have problems to install the adapter. The error message is as follows:

PS C:\install> Register-AdfsAuthenticationProvider -TypeName $typeName -Name "YubiKey MFA Adapter" -ConfigurationFilePath 'C:\install\YubiKeyMFAAdapter\YubiKeyMFAAdapter.json' Register-AdfsAuthenticationProvider : The authentication method YubiKey MFA Adapter could not be loaded. Could not load type 'ADFSMFAAdapters.YubiKeyMFAAdapter' from assembly 'Microsoft.IdentityServer.Web, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL'. At line:1 char:1

• Register-AdfsAuthenticationProvider -TypeName $typeName -Name "YubiKe ...

• 
  + CategoryInfo          : NotSpecified: (:) [Register-AdfsAuthenticationProvider], AuthenticationMethodLoadException
  + FullyQualifiedErrorId : The authentication method YubiKey MFA Adapter could not be loaded. Could not load type 'ADFSMFAAdapters.YubiKeyMFAAdapter' from assembly 'Microsoft.IdentityServer.Web, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, pro
  cessorArchitecture=MSIL'.,Microsoft.IdentityServer.Management.Commands.AddExternalAuthProviderCommand

This is the output from $publish and $fn: PS C:\install> echo $publish System.EnterpriseServices.Internal.Publish PS C:\install> echo $fn Microsoft.IdentityServer.Web, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 PS C:\install> echo $typeName ADFSMFAAdapters.YubiKeyMFAAdapter, Microsoft.IdentityServer.Web, Version=10.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL

I copied the Microsoft.IdentityServer.Web.dll from my ADFS installation in the C:\Install\YubiKeyMFAAdapter and renamed the file to YubiKeyMFAAdapter.dll. Do you have an Idea what I am doing wrong? Thanks for your reply.

[ahelland]

Sounds like a glitch in my instructions or something :)

The Microsoft.IdentityServer.Web.dll file should indeed be copied to an install directory, but you should not rename it. It should keep the existing name. The YubiKeyMFAAdapter.dll file should be acquired by compiling the code in this repo which should produce said file as an output (and this with the rest of the files built should be copied to the ADFS server).

Or am I misunderstanding which steps you took?

[deknevel]

Hi, thanks for your help. Think rather the glitch is in my head :) So the PowerShell script in the Readme.md is only for installing the Adapter? But how I compile the Microsoft.IdentityServer.Web.dll? Did I miss something there? Thanks

[ahelland]

Yup, the PowerShell is only for getting the adapter registered correctly on the ADFS server. The Microsoft.IdentityServer.Web.dll is pre-compiled (and as you already saw found on the server).

The YubiKeyMFAAdapter.dll requires Visual Studio 2019 (Community Edition is free and will work) to compile. If you're not all that into coding it should be sufficient to open the solution, flipping output to "Release" (set to Debug by default), right-click "YubiKeyMFAAdapter" on the right hand side and click "Build".

[deknevel]

Hi, I got it. I could register the Adapter successfully to our ADFS server. Thanks for the explanation! But I got a few errors during the login proccess....

Encountered error during federation passive request. Additional Data Protocol Name: Saml Relying Party: https://aaa.bbb/saml/sp/metadata/LAB_SSO Exception details: System.Security.SecurityException: The source was not found, but some or all event logs could not be searched. To create the source, you need permission to read all event logs to make sure that the new source name is unique. Inaccessible logs: Security, State. at System.Diagnostics.EventLog.FindSourceRegistration(String source, String machineName, Boolean readOnly, Boolean wantToCreate) at System.Diagnostics.EventLog.SourceExists(String source, String machineName, Boolean wantToCreate) at System.Diagnostics.EventLogInternal.VerifyAndCreateSource(String sourceName, String currentMachineName) at System.Diagnostics.EventLogInternal.WriteEntry(String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID, Int16 category, Byte[] rawData) at System.Diagnostics.EventLog.WriteEntry(String source, String message, EventLogEntryType type, Int32 eventID) at ADFSMFAAdapters.YubiKeyMFAAdapter.ValidateProofData(IProofData proofData, IAuthenticationContext authContext) at ADFSMFAAdapters.YubiKeyMFAAdapter.TryEndAuthentication(IAuthenticationContext context, IProofData proofData, HttpListenerRequest request, Claim[]& claims) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context) The Zone of the assembly that failed was: MyComputer

And sometimes I got also this Warning msg, too.

An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.
Additional Data Caller: OnBehalfOf user: ActAs user: Target Relying Party: http://adfs.xxx.yyy/adfs/services/trust Device identity: User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.

Do you have seen this error before? We are also successfully using the Azure MFA Adapter on the ADFS for MFA.

[rpruden]

Would you be able to share a compiled version of the DLL?

[ahelland]

@rpruden Well, kinda figured people would be more comfortable compiling it themselves rather than download it from a random GitHub repo :) But I added the dll in the /Releases folder for those who are interested.