MFA fails to retrieve security descriptors - causes error "must be executed with ADFS administration rights granted"

[mastertIT]

• Version: adfsmfa.3.1.2302.0
• Windows Server 2022

Anytime the MFA Plugin is opened or a registermfa is attempted this error shows up in the event viewer and this error shows in the plugin:

> Log Name:      Application
> Source:        ADFS MFA Service
> Date:          2023-03-27 4:24:56 PM
> Event ID:      2012
> Task Category: None
> Level:         Error
> Keywords:      Classic
> User:          N/A
> Computer:      ADFS01.xxx.xx
> Description:
> Error retreiving security descriptors : Object reference not set to an instance of an object. 
> Event Xml:
> <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
>   <System>
>     <Provider Name="ADFS MFA Service" />
>     <EventID Qualifiers="0">2012</EventID>
>     <Version>0</Version>
>     <Level>2</Level>
>     <Task>0</Task>
>     <Opcode>0</Opcode>
>     <Keywords>0x80000000000000</Keywords>
>     <TimeCreated SystemTime="2023-03-27T20:24:56.7353035Z" />
>     <EventRecordID>12774</EventRecordID>
>     <Correlation />
>     <Execution ProcessID="0" ThreadID="0" />
>     <Channel>Application</Channel>
>     <Computer>ADFS01.xxx.xx</Computer>
>     <Security />
>   </System>
>   <EventData>
>     <Data>Error retreiving security descriptors : Object reference not set to an instance of an object. </Data>
>   </EventData>
> </Event>

the settings in adfs are as shown:

ADFS uses a managed service account, and the logged in user is part of the adfs admin group and is also a local administrator.
the server is a freshly installed server 2022 with ADFS installed.

[redhook62]

Hi @mastertIT

It is clear that you have a configuration concern on your side. Having had too much information on your paltform, ADFS 2022 OK, but is a VM or a server, TPM or not, configuration of the domains, Creential of the super-user, Adds or SQL configuration, etc... ?

I confirm that on our ADFS 2022 test platforms, we do not have this type of concern.
So, I made you a little build, and added several lines of debug (Eventlog).

Please test with this build and send us all detailed traces.

regards

[mastertIT]

Thank you for that, at least i see more detailed errors now:

Log Name:      Application
Source:        ADFS MFA Service
Date:          2023-03-28 12:36:06 PM
Event ID:      2000
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ADFS01.xxx.xx
Description:
Error Initializing WebAuthN Metdata Repository : There was no endpoint listening at net.tcp://localhost:5987/WebAdminService that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. /// 
Server stack trace: 
   at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Neos.IdentityServer.MultiFactor.IWebAdminServices.HasBLOBPayloadCache()
   at Neos.IdentityServer.MultiFactor.Data.WebAdminManagerClient.HasBLOBPayloadCache()
   at Neos.IdentityServer.MultiFactor.WebAuthN.Metadata.BaseSystemMetadataRepository.HasBLOBPayloadCache()
   at Neos.IdentityServer.MultiFactor.WebAuthN.Metadata.MDSMetadataRepository.<GetBLOB>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Neos.IdentityServer.MultiFactor.WebAuthN.MFAMetadataService.<InitializeRepository>d__13.MoveNext()
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="ADFS MFA Service" />
    <EventID Qualifiers="0">2000</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2023-03-28T16:36:06.9969056Z" />
    <EventRecordID>12966</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>ADFS01.xxx.xx</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Error Initializing WebAuthN Metdata Repository : There was no endpoint listening at net.tcp://localhost:5987/WebAdminService that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. /// 
Server stack trace: 
   at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper&amp; timeoutHelper)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper&amp; timeoutHelper)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper&amp; timeoutHelper)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
   at Neos.IdentityServer.MultiFactor.IWebAdminServices.HasBLOBPayloadCache()
   at Neos.IdentityServer.MultiFactor.Data.WebAdminManagerClient.HasBLOBPayloadCache()
   at Neos.IdentityServer.MultiFactor.WebAuthN.Metadata.BaseSystemMetadataRepository.HasBLOBPayloadCache()
   at Neos.IdentityServer.MultiFactor.WebAuthN.Metadata.MDSMetadataRepository.&lt;GetBLOB&gt;d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Neos.IdentityServer.MultiFactor.WebAuthN.MFAMetadataService.&lt;InitializeRepository&gt;d__13.MoveNext()</Data>
  </EventData>
</Event>

the above was returned Immediately after the debug version was installed.

once the MFA plugin was attempted to be opened i also received the same error as before:

• server is a VM
• server doesn't use TPM
• ADDS is at server 2016 domain functional level (DC's are server 2022 as well)
• ADFS uses sql for the farm DB, there are 2 adfs servers
• The one thing to note is we have a 2 way cross forest trust with another domain, however the adfs servers aren't being used for the other forest.
• there are no addon upn suffix's to ADFS
• we have an internal CA server for the service communication certificate (CRL and OSCP are setup correctly for certificate revocation and lookup: internal and external)

[redhook62]

Ok, so no worries with your infrastructure.
Check, why the mfanotifhub service is not accessible (Firewall?, Antivirus?)

let us know

regards

[mastertIT]

Barebones. No firewall or av setup on this server as it's not in production yet.

That fact that it errors out on pulling the security descriptors is curious as that explains why it denies me access to the settings.

MFA has never been setup in this environment before.

[redhook62]

The debug stack you submitted only indicates that the "MFA Notification Hub" service is not available or stopped.

This log appears when you restart this service (to be seen on our side, but rather on the OS side, and only with W2022).

We tested with TPM activated or not

As a result, in this case you actually get the message "PS0033: This Cmdlet must be executed with ADFS Administration rights granted for the current user!".

On our side, the only constraint is that by default the service must run under the "System" account, which allows it to contact ADDS under the machine account.

The "MFA Notification Hub" service must imperatively be started.

regards

[mastertIT]

okay,

what we've attempted so far:

1. complete wipe of the adfs vm, and redeploy
2. FW DISABLED
3. AV DISABLED
4. re-add to federation farm, import communication certificate
5. Install 2022 - VC_redist.x64
6. Install 2022 - VC_redist.x86
7. Install ndp481-web

REBOOT

• install MFA plugin (debugging version)
  

This error occurs every time the MFA plugin is run:

[redhook62]

Hi, @mastertIT

As indicated before, the MFA service runs by default with the System account, this account by default has access to the entire machine, therefore to the MFA application directory.

It doesn't make sense that there is access denied. either you changed the account or the adfs machine is not on the same domain (resource forest).

You must therefore solve this problem, the service does not modify attributes in ADDS, but must have the right to request general attributes, and moreover attract SIDs for different accounts.

With the system account, this is not a problem because it is the machine that accesses ADDS (on the domain where this machine is registered).

I enclose a last build, which you will beta test for us.
We have optimized the start of the service there, in order to avoid having inappropriate error messages.

regards

[mastertIT]

@redhook62

this is an entirely new server. since we last spoke. deleted the vm and reinstalled windows and added adfs to the existing sql federation forest.
then installed prerequisites then installed MFA.

NO OTHER CHANGES WERE MADE.

updated MFA to attached version before testing the below.

1. if we have a forest trust with another companies AD would that cause the error with the SID?
2. what permissions need to be set on the C:\Program Files\MFA folder to fix the access denied error?
   the existing settings:

[redhook62]

Hi @mastertIT

Several things.

• working on multi-forests is not a problem for the pluggin (this has been in effect for several years, we have several customers in this case and no worries)

About the rights

• the rights will be updated by the product on this directory once everything has started correctly.
• local users do not have to be present.
• The ADFS service account is not present, does it belong to the local administrators?

About Eventlog

• you have Schannel errors 36928 - Could not retreive OCSP Response. You absolutely must correct this problem!!!

About ADFS Administrators Group

• this group must be a group belonging to the forest in which ADFS servers are registered, accounts within this group can be from multiple forests via ADDS trust relationships.

What you can test

• Disable the ADFS administrators group in ADFS and check the result.

• Solve the SChannel problem (probably linked to a misconfigured certification authority).

• Check on the side of your domain controllers, any errors (it's probably on this side that there is a problem)

• Confirm that the 2 files config.db and system.db are well created and check the rights on these files.

• As a last resort, modify the MFA service account and switch to an account that has rights to the 2 forests (the ADFS service account?), this account must have access to the MFA directories. the simplest is actually a Local Administrator.

• Check on the Windows 2022 side for possible issues. Especially following the upgrade from 2016 to 2022, there are a multitude of concerns

regards

redhook

Sample for rights
the first three one are set by the pluggin

• Local Administratoirs (set in ADFS configuration)
• Local System (required by default)
• ADFS Service Account
• ADFS Delegated Admin Group (set in ADFS configuration)

[redhook62]

Some news ?

[mastertIT]

• ADFS Service Account is a gMSA account, it was added to local admins Services group.

• the schannel errors were due to an old wsus server certificate with old AIA config (old ocsp url in cert).

• OCSP, and CRL's are through our loadbalancer so the CA infrastructure is working.

• DC's are all 2022, and were installed side by side 2019, not migrated.

Will go through and check everything again and update you.

what rights does the MFA service need in Active Directory? (does it need to be delegated access from the other AD forest?)

[redhook62]

Hi @mastertIT

For the different ways to assign rights to your service account you can refer to the documentation here: ADDS Account.

When configuring with ADDS, I recommend that you have a "Standard" service account, as required by ADFS (read rights on the ADDS forests accounts) and enter the credentials for the "Super-User ", account must have read/write rights on ADDS accounts. here Securiy Configuration

If you do not want this, then you must go to the SQL configuration

reards

[mastertIT]

Crawled through our entire active directory topology.

zero issues with CA
zero issues with CRL lookup
zero issues with OCSP lookup
zero issues with sync between DC's
zero issues with ADFS servers
zero issues between forests.

still have the failed to retrieve security descriptors error on running the MFA plugin.

can we build a version of the plugin without the authentication builtin?
if a nefarious actor got access to the adfs server they could grant themselves access through the adfs console anyways. i don't see any risk by removing the authentication in the mfa plugin.

[mastertIT]

this also errors out immediately.

[mastertIT]

it seems the server tries to resolve the certificate chain for Microsoft smartscreen immediately when the 'security descriptors' error and 'must be executed with adfs administrators' errors occur. the plugin is likely failing due to security features built-into active directory or windows.

[redhook62]

Hi @mastertIT

Thank you for all those informations.

We also have a Windows 2022 platform in ADDS multi-forests, and co-federation between distinct ADFS platforms.
We also have smartscreen activated on these 2022 servers, virtual tpm and more.

All this to say, that we don't do any particular things.

To retrieve the SIDs, some of which are purely local to each server, as indicated before, the server requests its domain under the account of the machine, it would do the same thing to check a login on the machine.

Another point, disabling the SID check in the pluggin, won't change anything because the pluggin's config is stored in the ADFS databases (built-in ADFS...), so effectively an unauthorized user will not be able to manipulate the console ADFS or the plugin.
however if the checks performed are removed, unexpected errors will occur during execution in the pluggin. this check is performed when starting the MMC or PowerShell to avoid serious problems afterwards.

So as indicated, there is a problem on your platform..
schannel or CAPI errors are not normal.
denied access is not normal.

you can try 2 things to test

• Disable smartscreen on the servers
• Disable in ADFS the ADFS administration delegation group

test each option one at a time and then together.
each time restart the federation services: restart-service mfanotifhub (restarts the pluggin services and the ADFS services).

Don't forget to run the powershell commands in admin mode.

Tomorrow, I will provide you with a build with detailed logs on the SID recovery part. to see exactly what the problem is.

regards

[mastertIT]

please see attached evtx file. includes mfa sources adfs and schannel. although there wasn't much activity besides capi.
i could not find any discernable info here that was helpfull.
**removed°°
(delete .zip from end of file once received)

did an unregister mfa as well as wipe config in programfiles\mfa when new build was installed.

[redhook62]

Thanks a lot,

You do not need to register the plugin again.
Simply uninstall the previous one, and deploy the one I provided.

Don't forget to send the MFA logs, if you haven't already done so.

[redhook62]

Hi, @mastertIT

After a quick analysis of your event logs.

This morning at 08:16:03 -> 08:16:04 the loading of SIDs went correctly. So the retrieval of this information is correct. I will redo a build for you to display the recovered values.

However, there are error messages indicating that the plugin is not registered :
Error retrieving configuration from ADFS Database: PS0105: No authentication provider with name 'MultifactorAuthenticationProvider' is present in the policy store.
After retrieving SIDs it crashes from 08:16:38

Is this the case?
if yes, you must then register the plugin with the Register-MFASystem cmdlet.

Steps :

• uninstall previous build,
• delete directory c:\Program Files\MFA to have a clean situation.
• restart the ADFS service: restart-service adfssrv
• Install this new build and register the plugin in ADFS with Register-MFASystem
• restart the MFA service: restart-service mfanotifhub (this also restarts the ADFS service)

Re run your tests, and send me the result of the events as before

adfsmfa.zip

regards

redhook

[mastertIT]

thats one of the issues, that always has failed from the beginning, MFA Service is started but never was able to listen on that port.

Something interesting has been discovered here.

but the logs show something different...

MFA-SID-Events.evtx.zip

not pictured in the logs: tried changing the MFA service to use a domain admin user to test, but the same issues occured.

[redhook62]

in these logs, there is no longer any value, this means that the information is no longer retrieved.
On the other hand, be aware that it is impossible to do anything if the component is not registered, all the errors occurring cannot be taken into account. this is the basis.
On the other hand on the TCP error, no response after one minute on a local call, the service must not be started, as a reminder this service must run under the system account.
Another question, have you checked that the component is registered on the ADFS side, either in the ADFS console or in PowerShell.

Part 0:

Export-AdfsAuthenticationProviderConfigurationData -Name "AuthenticationProvider" -FilePath c:\temp\mfa\3.1.xml

Part 1:

(Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider null

UnRegister-AdfsAuthenticationProvider -Name "MultiFactorAuthenticationProvider" -Confirm:$false

Part 2:

$typeName = "Neos.IdentityServer.MultiFactor.AuthenticationProvider, Neos.IdentityServer.MultiFactor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=175aa5ee756d2aa2"
Register-AdfsAuthenticationProvider -TypeName $typeName -Name "MultifactorAuthenticationProvider" -Verbose -ConfigurationFilePath "c:\temp\mfa\3.1.xml"

Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider MultiFactorAuthenticationProvider
net stop adfssrv
net start adfssrv

Part 3:

restart-service mfanotifhub
Register-MFASystem
restart-service mfanotifhub

Until you have properly registered the component, the procedure for which is standard, as for all existing MFA components on the market. there is no need to go any further!
Check that you are the local administrator of the server, and refer to the documentation.

If you don't have a backup of your configuration, only run part 1 and part 3. if you have this backup, run parts 1 and 2.

let us know

regards

[mastertIT]

1. the values returned have always been blank

2. the service is started throughout the entire process. if it was not i would have noticed that...........

3. i AM local administrator AND domain administrator. otherwise i would not be able to login via remote desktop....

4. it feels like we're going in a circle here. you're more than welcome to remote into the server and see for yourself everything i've said until now is true.

5. the AdditionalAuthenticationProvider was registered and did show up the entire time the plugin stated it did not exist, manually removing it with Unregister-AdfsAuthenticationProvider and re-registering does cause the plugin to re-recognize it..

[redhook62]

Hi, @mastertIT

Funny thing, are you still using Windows XP?

Otherwise, first delete the system.db file and retest after restarting the MFA service.

Then, if you want me to intervene on your server.

• Make sure your server is accessible in RDP from the internet (I do not want to set up a VPN procedure)
• prepare 2 rdp files, with stored user credentials.
• For local server administrator
• For a domain account present in the ADFS delegated administrators group.
• See me at the address indicated in the source codes for these 2 zipped RDP files.
• let me know when your internet access will be open.

regards

redhook

[mastertIT]

no it was a meme.

access has been emailed to you

[redhook62]

Hi @mastertIT

I will ask you as a workaround to test this.

In your resource forest (the forest where the ADFS servers are located) create a group of users in which you will position your delegated administrators.
Next, modify the ADFS configuration to assign this group (local ADDS for ADFS) to delegated administrators. you can also do the same for local administrators.
Then restart the MFA service (restart-service mfanotifhub)

The reason seems as follows: the recovery of SIDs is carried out by the system account of your ADFS server, or under the ADFS machine account. this machine has no rights on other ADDS forests, but only on its resource forest. therefore any access to a remote forest is denied, which is the goal when setting up a forest of resources.

There are therefore 2 approaches, either assign your users to local groups or resource domain, or through trust relationships give rights to the ADFS machine on other forests.
You could also run the MFA service with an account from a remote forest, like the ADFS service account, of course by giving admin rights on the ADFS machine.

If this is confirmed, we can consider doing something in the future, but I think it would not be a good solution, it is on the side of the ADDS infrastructure that we must manage all this.
By setting up a resource forest, you should expect to do this kind of thing (give certain rights or use certain accounts to manage this particular trust.

regards

redhook

[mastertIT]

I was able to delegate read access from the other forest to the adfs server computer accounts and to the adfs administrators group.
The other forest is a separate company so this wouldn’t be a common solution I think.

The SID’s after restarting still return blank values. (the authentication module is registered)

[mastertIT]

per our email thread, i changed the MFA service account back to local system and restarted the services.
without making any other changes the SID's are returning blank values.

confirmed that there are no errors in our network or in our domain controllers and certificate authority.

what would be the next steps?

[mastertIT]

is this still a known issue?
https://support.microsoft.com/en-us/topic/february-4-2022-kb5011258-update-for-net-framework-4-8-for-microsoft-server-operating-system-version-21h2-cc5d0bdc-8212-4c42-a580-4ff665386707