search

neos-sdi / adfsmfa

MFA for ADFS 2022/2019/2016/2012r2
MIT License
143 stars 53 forks source link

MFA Error - Must be executed with ADFS Administration rights granted part 2 #217

Closed Maurice-AxiansNL closed 2 years ago

Maurice-AxiansNL commented 2 years ago

Hi guys, I tried all suggestions about this issue but can't solve it.

I followed these steps:

Alle steps are on a fresh ADFS 2019 server:

  1. Before the setup I added a Active directory security group (ADFS Delegation) to the local administrator group on the ADFS server and added the group in the "ADFS Federation Service properties" in the "Enable delegation for service for administation" part

image

  1. After added the groups I rebooted the server
  2. After the reboot I started adfsmfa.3.1.2202.1 and followed the steps
  3. After the installation I checked if the system.db already exists (not true)
  4. Open Powershell as administrator -> Register-MFASystem

After registering I've got a strange warning / error:

image

  1. Check if the system.db exists -> True
  2. Tried some other powershell cmdlets but all return with the same strange Unhandled exception warning / error.
  3. Reboot server
  4. Start MFA MMC -> Returns with error "Must be executed with ADFS administration rights granted"

I'm lost, can someone point me in de right direction? As you can see I followed the instructions from the installation part and the suggestions from another thread but still no solution.

redhook62 commented 2 years ago

Hi

The points indicated from 1 to 5 are correct, but why reboot the server? You have a big problem when trust relationships are requested "AccessViolationException - Memory may be corrupted!"

At any rate. you can delete the System.db, config.db, and blob.db files on each server. Then run restart-service mfanotifhub. You should see, if all the prerequisites are respected (such as the opening of the firewall rules) these files, on all the servers. Config.db - MFA configuration cache System.db - ACL cache for service access (MMC, PS) Blob.db - MDS file from fido alliance (downloaded).

The account used must have the privileges to browse the different ADDS trust relationships You can specify this account in the Security tab

Your users using MMC or Powershell must be local/domain administrators to manage all features

See

https://github.com/neos-sdi/adfsmfa/wiki/01-Installation#prerequisites https://github.com/neos-sdi/adfsmfa/wiki/01-Installation#configure-windows-firewall-rules

regards