MMC - Must be executed with ADFS Administration rights granted for the current user!

[skofild007]

Hello, ihave problem with newest version, after install him and run, i get windows with error: Must be executed with ADFS Administration rights granted for the current user! what i do it wrong? P.S. I have Administrative right in this host and run as administrator MFA :)

[redhook62]

Hi @skofild007

Yes, PowerShell Cmdlets and MMC are verifing the the current user have the Administration Rights assigned. Nothing notable has changed since several releases for the MMC (January).

Please check the Installation part, and if your previous version is old Upgrade from previous versions

If, all is OK, you can restart the MFA service Restart-Service mfanotifhub

regards

[skofild007]

Thanks

[crpeters2000]

I have this same issue after upgrading my version. @skofild007 what did you do to resolve your issue?

[redhook62]

Hi, @crpeters2000

You can try the same as what was recommended at @skofild007.

Check the rights given to your administrators 01 Installation

Then delete the System.db files (in programFiles \ MFA \ Config) or restart the mfanotifhub service.

The System.db file, contains the ACLs for the rights,, it will be recreated if necessary, and if everything is correct it will contain the correct ACLs.

regards

[petersmith-mp]

Hi, i am also having the same issue. The account is enterprise and domain admin, i have deleted the config and restarted the service but the issue still appears.

Cheers

[redhook62]

Hi, @mpn-peter-smith

Just being a Domain Administrator is not enough. Your users should either be in the local Administrators group or in the AD FS Administrators group you created.

regards

[petersmith-mp]

Hi @redhook62

I have added my account to the local administrators group but i dont understand what you mean by ADFS Administrators group

Thanks

[redhook62]

Hi @mpn-peter-smith

With ADFS 2016 or 2019, you can define an administration group "ADFS" aka "Delegated Administration Group",

This is done in the ADFS administration console, in the ADFS Properties. You can indicate any Domain Group . Please re-read the installation part

regards

[petersmith-mp]

Hi @redhook62

Its working now ! Thanks, i didn't realise in the newer ADFS versions that you could specify a Delegated Admin Group.

Cheers

[redhook62]

Good, very good

However if you change the properties of ADFS regarding rights (such as a new group value for Delegated Admin Group. You need to delete the system.db file, be aware that this is done each time the MFA service (mfanotifhub) is restarted .

regards

[skofild007]

I have this same issue after upgrading my version. @skofild007 what did you do to resolve your issue?

Hi, ш just run the installer as a local admin of the host and it worked well for me. When I ran the installation as a domain administrator, it didn't work.

[redhook62]

Hi, @skofild007

Just being a Domain Administrator is not enough. Your users should either be in the local Administrators group or in the AD FS Delegated Admin Group you created.

regards

[skofild007]

Hi, @skofild007

Just being a Domain Administrator is not enough. Your users should either be in the local Administrators group or in the AD FS Delegated Admin Group you created.

regards

I was a member of the local admins group on the host (via domain user) + ADFS admin but that didn't work for me. When I started from the account of the native local administrator on the host - everything worked for me :)

[redhook62]

Hi, @skofild007

Yes, your users or your selected Domain Group must be explicitely members of the Local Administrators group (Installation and Configuration Options) or be member of the Deledated Administration Group (Configuration Options / Some Cmdlets or operations in MMC are not allowed) see : PowerShell Commands

regards

don't forget that if you are modifying the rights (ex adding a user to a group) you must close and reopen the user session

[jojobgl]

I have the Problem that there is no system.db File. I always get the same Message as above. The User ist the Domain Admin woh is member of the local Admin Group. the Server is a Win 2019 Server. I also put the domain Admin in adfs delegate group, but no sucess.

Iam upgrading from 3.0.0.2. In unistalled the MSI and installed the new one. Is this wrong? Iam not sure, if the steps upgrade from 2.x also also needed from 3.0.0.2?

[redhook62]

@jojobgl

It is clear that your version is very old. First of all, have you looked at the Wiki in detail ?

Then if you want help. please send your configuration details.

Number of servers (Proxies included), your Operating System, configuration of ADFS and MFA services (accounts used), etc...

In addition, check by restarting the MFA service that this system.db file appears (this file is re-created each time the service is started), if not, check the ACLs of the directory.

The cache is primarily useful for performance issues, but also in the context of ADFS/WID configuration for "secondary" servers.

Regardless, always check the eventlog to provide as much information about the problem as possible.

In detail, the 3.0.0.2 configuration file is automatically migrated to the latest version, once you make a backup (MMC or PS)

let us know !

regards

[jojobgl]

@redhook62 There are 2 Proxy Servers and two ADFS Servers. I updated the primary server and shut down the second one. So that the Loadbalancer only routes to the primary server.

Its is Server 2019 and the ADFS service is running with a service account.

In Eventlog I got Event Id 900:

Fehler beim Laden der Konfigurationsdatei: System.InvalidOperationException: Fehler im XML-Dokument (27,145). ---> System.InvalidOperationException: Instanzvalidierungsfehler: 'NoMicrosoftAuthenticator' ist kein gültiger Wert für global::Neos.IdentityServer.MultiFactor.OTPWizardOptions. bei System.Xml.Serialization.XmlCustomFormatter.ToEnum(String val, Hashtable vals, String typeName, Boolean validate) bei Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderMFAConfig.Read24_OTPWizardOptions(String s) bei Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderMFAConfig.Read25_OTPProvider(Boolean isNullable, Boolean checkType) bei Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderMFAConfig.Read34_MFAConfig(Boolean isNullable, Boolean checkType) bei Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderMFAConfig.Read35_MFAConfig() --- Ende der internen Ausnahmestapelüberwachung --- bei System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events) bei System.Xml.Serialization.XmlSerializer.Deserialize(Stream stream) bei Neos.IdentityServer.MultiFactor.AuthenticationProvider.OnAuthenticationPipelineLoad(IAuthenticationMethodConfigData configData)

Ans Also things like: Xml Serialization error : Unknow Node : UseActiveDirectory Position (2, 311)

evertything is like in the update guide, local System is granted to administer the ADFS.

I dont know whats wrong.

[redhook62]

Hi @jojobgl

OK, loading the configuration "crashes", there is an enumeration cast which is causing the problem. However this has nothing to do with the fact that the system.db (ACL management/Accounts SIDS) is not created.

So, we will move forward step by step.

You will send me your configuration by email (address indicated in the source codes). To do this, you need to go to your main ADFS server and open a PowerShell command prompt in administrator mode.

Export-AdfsAuthenticationProviderConfigurationData -Name "MultifactorAuthenticationProvider" -FilePath "C:\temp\config.xml".

If you have plaintext passwords inside the generated file, replace the value with a placeholder.

Zip this xml file and send it to me by email, or in issue 167 as an attachment (it will be deleted quickly)

regards

[jojobgl]

Hello Redhook,

I send you an Email. I hopde you recieved it?