search

neos-sdi / adfsmfa

MFA for ADFS 2022/2019/2016/2012r2
MIT License
143 stars 52 forks source link

Validation error for global::Neos.IdentityServer.MultiFactor.OTPWizardOptions #242

Closed patschi closed 2 years ago

patschi commented 2 years ago

Issue

Today I've been updating from adfsmfa.3.1.2111.0 to adfsmfa.3.1.2207.0 and it broke my MFA completely. During start of service MFA Notification Hub, I could see following error in Eventviewer:

Error loading Configuration File : 
System.InvalidOperationException: There is an error in XML document (29, 180). ---> System.InvalidOperationException: Instance validation error: 'NoAuthyAuthenticator' is not a valid value for global::Neos.IdentityServer.MultiFactor.OTPWizardOptions.
   at System.Xml.Serialization.XmlCustomFormatter.ToEnum(String val, Hashtable vals, String typeName, Boolean validate)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderMFAConfig.Read24_OTPWizardOptions(String s)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderMFAConfig.Read25_OTPProvider(Boolean isNullable, Boolean checkType)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderMFAConfig.Read34_MFAConfig(Boolean isNullable, Boolean checkType)
   at Microsoft.Xml.Serialization.GeneratedAssembly.XmlSerializationReaderMFAConfig.Read35_MFAConfig()
   --- End of inner exception stack trace ---
   at System.Xml.Serialization.XmlSerializer.Deserialize(XmlReader xmlReader, String encodingStyle, XmlDeserializationEvents events)
   at System.Xml.Serialization.XmlSerializer.Deserialize(Stream stream)
   at Neos.IdentityServer.MultiFactor.AuthenticationProvider.OnAuthenticationPipelineLoad(IAuthenticationMethodConfigData configData)

Workaround

After trying to find the XML document referred (which, turns out, is saved somewhere in ADFS) and quite some research I could find a workaround:

  1. Export current MFA configuration

    Export-AdfsAuthenticationProviderConfigurationData -Name "MultifactorAuthenticationProvider" -FilePath c:\temp\3.1.xml

  2. Change the setting WizardOptions in c:\temp\3.1.xml in:

    <OTPProvider Enabled="true" PinRequired="false" IsRequired="true" EnrollWizard="true" ForceWizard="Disabled" TOTPShadows="2" Algorithm="SHA256" TOTPDigits="6" TOTPDuration="30" WizardOptions="NoAuthyAuthenticator NoGooglSearch" FullQualifiedImplementation="">

    From:

    WizardOptions="NoAuthyAuthenticator NoGooglSearch"

    to:

    WizardOptions=""

    (BOTH need to be removed, otherwise same error repeats for NoGooglSearch)

  3. Import the changed configuration

    Import-AdfsAuthenticationProviderConfigurationData -Name "MultifactorAuthenticationProvider" -FilePath c:\temp\3.1.xml

  4. After the change and restart of the NotificationHub, MFA was working again.

Note: Other PowerShell cmdlets were not working, as permissions could not be validated properly due to issues with the service itself.

Notes

Most likely related to: image

My assumption is that the flag NoAuthyAuthenticator was changed to AuthyAuthenticator:

Env: Using ADFS 2019 and adfsmfa 3.1.2207.0.

redhook62 commented 2 years ago

Hi,

Yes of course, it was an evolution, so we change this to support Custom Authenticator.

regards

patschi commented 2 years ago

I just wanted to point out that an update according to the docs renders adfsmfa being unusable. Not sure why it was instantly closed, but I think either some fallback or notes in the update instructions would be worth preventing some frustration.