If you are already using Microsoft Azure MFA with the on premises solution (Multi Factor Authentication Server) and want (or have already) to upgrade to the latest version (which is version 7.0.2 at the time of writing this post), you may experience the following error if you have integrated with ADFS (especially when you restart your ADFS services) after you have upgraded your ADFS connector.
Log Name: AD FS/Admin
Source: AD FS
Date: 7/9/2016 10:55:08 AM
Event ID: 105
Task Category: None
Keywords: AD FS
An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Context: Proxy device TLS pipeline
The external authentication method pfadfs.AuthenticationAdapter, MultiFactorAuthAdfsAdapter, Version=220.127.116.1152, Culture=neutral, PublicKeyToken=31bf3856ad364e35 could not be loaded. Could not load file or assembly ‘MultiFactorAuthAdfsAdapter, Version=18.104.22.16852, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.
This is because the resource has been renamed
To solve the issue, you need to unregistered the previous version of the ADFS connector and then register the new one.
Disable MFA in ADFS
If you already have integrated MFA with your ADFS, this means you are using it (or should )
Before unregistering the “old” version, you need to disable it from your ADFS console, Authentication Policies
Unregister the previous version
Open a PowerShell prompt and run the following command
Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthentication
If you did not disable the connector from ADFS first, you will get this error
Unregister-AdfsAuthenticationProvider : PS0099: The specified authentication provider cannot be removed from the
policy store. The provider is currently specified in the additional authentication providers list. Remove the
provider from the additional authentication providers list.
At line:1 char:1
+ Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthenticatio …
+ CategoryInfo : InvalidArgument: (:) [Unregister-AdfsAuthenticationProvider], ArgumentException
+ FullyQualifiedErrorId : PS0099: The specified authentication provider cannot be removed from the policy store.
The provider is currently specified in the additional authentication providers list. Remove the provider from the
additional authentication providers list.,Microsoft.IdentityServer.Management.Commands.RemoveExternalAuthProviderC
Once completed, restart the ADFS service
Register the new version
Run the PowerShell script provided with MFA to register the new version; the script is located in the C:\Program Files\Multi-Factor Authentication Server folder and is called Register-MultiFactorAuthenticationAdfsAdapter.ps1
Once completed, restart again your ADFS services
Re enable the connector
Re open you ADFS console and browse to the Authentication Policies to re enable the connector; you will notice the name has been changed to Azure Multi-Factor Authentication Server