Microsoft ADFS

Introduction

The purpose of this integration document is to provide guidelines on how to integrate Mideye two-factor authentication with Microsoft Active Directory Federation Service.

Release notes

V2.3.4

  • Added a button to the RADIUS configuration editor that can be used to automatically set the correct permission for the ADFS-module.

v2.3.3

  •    Updated “Test Connection” tab GUI in ADFS Configuration Tool.
  •    Updated language files.
  •    Updated design of the login page.
  •    Fixed a bug in ADFS Configuration Tool where changing language removed translations.

v2.3.2

  •    Added functionality to show/hide OTP on login page.
  •    Fixed a bug with supported OTP length.

v2.3.1

  •    Added support for Yubikey.

v2.3.0

  •    Added functionality in ADFS Configuration Tool for verifying Radius server connectivity.
  •    Extended logging capabilities with ‘Off’ and ‘Warnings and Errors’ modes.

v2.2.1

  •    Fixed a bug with users using the Android app.

v2.2.0

  •    Added functionality to set necessary registry and event viewer permissions when starting ADFS Configuration Tool.

v2.1.0

  •    Extended logging capabilities with ‘Info’ and ‘Debug’ modes.
  •    Fixed a bug with user permissions.

v2.0.0

  •    Implemented a new .NET Radius Client.
  •    Fixed a bug where registry values were incorrect.

Prerequisites & general issues

Requirements

A Mideye Server (any release). If there is a firewall between the ADFS-server and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). ADFS acts as a RADIUS client towards the Mideye Server. Hence, the ADFS-server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.

Supported ADFS-versions are Windows Server 2012R2, 2016 and 2019.

Prerequisites

This guide will not explain how to setup ADFS. Refer to Microsoft-documentation how to configure ADFS before proceeding with this integration document.

Remove any existing versions of Mideye ADFS module

Before installing a new version of the module, any existing module must be uninstalled. Complete the following steps to remove older versions of the ADFS-module.

Open ADFS management console and navigate to access control policies. Remove all relaying parties from any MFA policies.

Open ADFS management console and navigate to access control policies. Remove all relaying parties from any MFA policies.

Navigate to authentication method and click Edit next to multifactor authentication methods.

Navigate to Authentication Method and click Edit next to Multi-factor authentication methods.

Uncheck the Mideye ADFS-module and click OK.

Uncheck the Mideye ADFS-module and click OK.

Open Control Panel and navigate Remove/Add programs. Uninstall the Mideye ADFS module

Open Control Panel and navigate Remove/Add programs. Uninstall the Mideye ADFS module.

To make sure that all register keys are removed from any older versions, open Powershell as an administrator and type Unregister-AdfsAuthenticationProvider -Name Mideye.ADFS -Confirm:$false

To make sure that all register keys are removed from any older versions, open Powershell as an administrator and type Unregister-AdfsAuthenticationProvider -Name Mideye.ADFS -Confirm:$false

Installing the ADFS module

Run the ADFS-package as an administrator.

Enter the IP-address(es) to the Mideye Server and specify the UDP-port (Default ump/1812). Type the shared secret that should be used between the RADIUS-client (ADFS) and the Mideye Server. Multiple RADIUS-servers can be configured.

Enter the IP-address(es) to the Mideye Server and specify the UDP-port (Default udp/1812). Type the shared secret that should be used between the RADIUS-client (ADFS) and the Mideye Server. Allow at least 35 seconds as timeout to make sure that any fallback method have enough time before timing out. Multiple RADIUS-servers can be configured.

Choose language for informational / error messages.

Choose language for informational / error messages and finish the installation.

Enable the module

Open the ADFS management console and navigate to Authentication Method and click edit next to multi factor authentication methods. Enable the MFA-method and click OK.

Navigate to Access control policies and move any relaying party to use MFA.

Create RADIUS-client

Refer to configuration guide (Mideye Server 4) and Reference Guide (Mideye Server 5), how to create a new RADIUS-client on the Mideye Server.

Mideye Server 4

On the created RADIUS-client, navigate to Client configuration and remove the “Check static password”. This check is not necessary since ADFS will perform a username and password check before allowing an authentication.

Remove check static password

Remove check static password

Mideye Server 5

Open Mideye Web-GUI and navigate to “Configuration” followed by RADIUS-clients. Select Edit on the new RADIUS client and click the “Client Configuration” tab. Check the checkbox for “Ignore password”.

Make sure that "Ignore Password" is selected

Make sure that “Ignore Password” is selected

Customise error messages, language and Serverlist

To change language and customise informational / error messages, open Mideye ADFS configuration editor. To customise any field, check the Custom edit button and make any changes followed by Save.

To add/remove/edit the RADIUS-server list open the tab Client settings and check the Custom edit button. Make any changes followed by Save.

Troubleshooting

Permissions

If any event-viewer logs with error codes are showing up with the text System.AggregateException: One or more errors occurred. —> System.Exception: Could not connect to regedit.

This means that the permission for the service account used by ADFS, was not executed correctly during installation. To resolve this issue, navigate to Program files \ Mideye and run the editor as an administrator. Click the Permission tab followed by “Add Permissions”. This must be executed on all ADFS-servers in the farm.

Failover

When more than one Mideye-server is specified in the RADIUS-server list, the module will always try with the one on top of the list. If the first Mideye Server do not respond, the next in the list will automatically be moved up to the top. The failed Mideye Server will be placed in the bottom.

Check RADIUS-logs

Check if anything is written to the Mideye RADIUS logs

Mideye Server\log\radius-messages.log

If nothing is logged, verify that udp/1812 is allowed between your ADFS server and Mideye Server. Also, check Event viewer for logs on the ADFS-server.

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.