Now we have our first MFA server running it is time to extend the functionality to other roles. We are going to install the ADFS adapter on the ADFS server.
There are 2 ways to install ADFS adapter. The next write up is in my opinion the easiest one as you don’t need to configure IIS – ADFS connection in the MFA tool manually. Download and install the MFA Server tool as described in this blogpost.
Be aware we do need to setup now server replication when it is prompted:
Choose next to start the configuration
You need one of the 2 methods to sync, I choose in my lab environment to use AD as the ADFS and MFA are in Server Lan and I use Web Proxy to redirect the request to the ADFS..
MFA is going to create a group in AD for Admins and replication partners
After it is finished the server needs to be rebooted to populate group membership for its computer account.
Now when you log in again and open the MFA tool and click on the ADFS button you have the option to install the ADFS adapter. You can also run the msi from the Program Files\Multi Factor Authentication directory.
Now open a Powershell windows and run from the Program Files\Multi-Factor Authentication Server
Register-MultiFactorAuthenticationAdfsAdapter.ps1
Now restart the ADFS service.
When the service is restarted and you open the ADFS management tool you have under Authentication Policies the setting to configure the global Multi-Factor Authentication. Select there the WindowsAzureMultiFactorAuthentication checkbox to enable the ADFS adapter. Further optionally you can enable MFA at global level for all users/ device or extra / intra-net. You can also select per relying party trust the required settings for require MFA.
In the MFA tool I configured the following settings for the ADFS users to enable enrollment and configure witch authentication settings I allow to use.
To test if the ADFS integration is working I go to a test url from my ADFS server:
https://your-adfs-server/adfs/ls/idpinitiatedsignon.htm
After I logon I get the option to enroll the MFA:
Next time I login to the ADFS I get a second authentication (in my case a phone call)
In the next blog we will configure the user portal for applications that don’t use ADFS (Cisco VPN, Remote Desktop Gateway, etc…)