The purpose of this integration document is to provide guidelines on how to integrate Mideye two-factor authentication with Microsoft Active Directory Federation Service.
- Added a button to the RADIUS configuration editor that can be used to automatically set the correct permission for the ADFS-module.
- Updated “Test Connection” tab GUI in ADFS Configuration Tool.
- Updated language files.
- Updated design of the login page.
- Fixed a bug in ADFS Configuration Tool where changing language removed translations.
- Added functionality to show/hide OTP on login page.
- Fixed a bug with supported OTP length.
- Added support for Yubikey.
- Added functionality in ADFS Configuration Tool for verifying Radius server connectivity.
- Extended logging capabilities with ‘Off’ and ‘Warnings and Errors’ modes.
- Fixed a bug with users using the Android app.
- Added functionality to set necessary registry and event viewer permissions when starting ADFS Configuration Tool.
- Extended logging capabilities with ‘Info’ and ‘Debug’ modes.
- Fixed a bug with user permissions.
- Implemented a new .NET Radius Client.
- Fixed a bug where registry values were incorrect.
Prerequisites & general issues
A Mideye Server (any release). If there is a firewall between the ADFS-server and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). ADFS acts as a RADIUS client towards the Mideye Server. Hence, the ADFS-server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.
Supported ADFS-versions are Windows Server 2012R2, 2016 and 2019.
This guide will not explain how to setup ADFS. Refer to Microsoft-documentation how to configure ADFS before proceeding with this integration document.
Remove any existing versions of Mideye ADFS module
Before installing a new version of the module, any existing module must be uninstalled. Complete the following steps to remove older versions of the ADFS-module.
Installing the ADFS module
Run the ADFS-package as an administrator.
Enable the module
Open the ADFS management console and navigate to Authentication Method and click edit next to multi factor authentication methods. Enable the MFA-method and click OK.
Navigate to Access control policies and move any relaying party to use MFA.
Mideye Server 4
On the created RADIUS-client, navigate to Client configuration and remove the “Check static password”. This check is not necessary since ADFS will perform a username and password check before allowing an authentication.
Mideye Server 5
Open Mideye Web-GUI and navigate to “Configuration” followed by RADIUS-clients. Select Edit on the new RADIUS client and click the “Client Configuration” tab. Check the checkbox for “Ignore password”.
Customise error messages, language and Serverlist
To change language and customise informational / error messages, open Mideye ADFS configuration editor. To customise any field, check the Custom edit button and make any changes followed by Save.
To add/remove/edit the RADIUS-server list open the tab Client settings and check the Custom edit button. Make any changes followed by Save.
If any event-viewer logs with error codes are showing up with the text System.AggregateException: One or more errors occurred. —> System.Exception: Could not connect to regedit.
This means that the permission for the service account used by ADFS, was not executed correctly during installation. To resolve this issue, navigate to Program files \ Mideye and run the editor as an administrator. Click the Permission tab followed by “Add Permissions”. This must be executed on all ADFS-servers in the farm.
When more than one Mideye-server is specified in the RADIUS-server list, the module will always try with the one on top of the list. If the first Mideye Server do not respond, the next in the list will automatically be moved up to the top. The failed Mideye Server will be placed in the bottom.
Check if anything is written to the Mideye RADIUS logs
If nothing is logged, verify that udp/1812 is allowed between your ADFS server and Mideye Server. Also, check Event viewer for logs on the ADFS-server.
Contact Mideye support
For further support please contact Mideye support, firstname.lastname@example.org, +46854514750.