Fresh install breaks ADFS completely (adfssrv fails to start: error code 1067)

[abctaylor]

Hi! Product looks great but unfortunately cannot get it running w/o breaking ADFS.

I installed with a local admin account (.\Administrator) and the program is present in appwiz.cpl

Found this in Event Viewer; looks mildly interesting:

when starting the service, some MFA providers (the default ones get loaded):

then 5 seconds later, the service fails to start (during its startup process):

and this:

and this:

Running Register-MFASystem fails with it being unable to connect to localhost:1500.

Thanks, appreciate any help.

[abctaylor]

This is Windows Server 2022 (21H2)

[redhook62]

HI @abctaylor

The problem comes from the ADFS service, it is unlikely that the pluggin is the cause, because it is isolated from the main adfs process.

Then the pluggin registration fails and this is normal, because the ADFS service must be started.

For example, when you restart the MFA service (mfanotifhub), it makes sure that the adfssrv service is started.

Googling it says corrupted binaries.

Please make sure the plugin is not active in adfs first.

Start ADFS correctly, before registering the pluggin and above all read the Wiki respecting all the prerequisites indicated

regards

[abctaylor]

Thanks for the reply. All the requirements in the Summary table in the Wiki are already met.

ADFS starts fine as soon as Neos SDI is uninstalled via Control Panel so the module is causing interference somehow. Restarting the mfanotifhub service works, but this itself doesn't restart adfssrv. AD FS won't start even if the MFA service is stopped - it needs to be fully uninstalled before it attempts to start.

If I uninstall, I still see the plugin present in AD FS (but not selected/enabled). Is there any way I can do a complete clean removal, because uninstalling via Control Panel doesn't fully remove it.

Any help would be much appreciated.

[redhook62]

Hi @abctaylor

To remove the MFA module reference from ADFS you can use this powershell command.

Unregister-AdfsAuthenticationProvider -Name "MultiFactorAuthenticationProvider"

Then make sure that during the installation you are a local administrator, and launch the installation and any powershell command in administrator mode.

In the ADFS configuration, management must be activated for the System account as well as for local administrators (defined explicitly, a domain administrator will not necessarily have the rights...)

The error occurs when detecting ADDS forests, on a standard request from the System.DirectoryServices.ActiveDirectory.ForestTrustRelationishipInformation framework modules, Verify your ADDS trust relationships.

regards

[abctaylor]

Unfortunately I couldn't get this working, I believe I met all requirements for a single-server 2022 installation. adfssrv kept returning the 1067 error no matter what I tried after probably 20+ clean installs. The gMSA account is in Account Operators, and is a Local Admin as well. Installation and configuration was done as .\Administrator not a domain admin, etc.

Once I got the MFA mmc snap in to work and some config options presented themselves, and indeed the MFA provider showed in AD FS on the idpinitiatedsignon.aspx page, but as soon as the MFA option was selected, it takes down the entire AD FS service.

It looked like a very promising solution but I worry it won't be stable in production at present, even if I got it working. I might re-evaluate this in the future. I am familiar with some basic Windows debugging and am happy to help you work through this if you like, or you can close the issue.

Thanks,
Andrew

[redhook62]

Hi @abctaylor

What I can tell you is that error #1026 is clear. it is by asking for the list of trust relationships that it crashes in Framework code.

Have you checked that your gMSA account has the rights to other ADDS forests, that the trust relationships are valid. Are you using a resource drill?

Can you try with an adfs service account with the ability to read and write user properties, query domain controllers.
Otherwise position an account in the security part (account with the required rights on all forests) with its credentials.

We may have the opportunity to do additional tests on our side next week.

regards

[abctaylor]

On Windows Server 2022 21H2, there is a .NET 4.8 bug that interferes with cross-forest trust relations, shown in that error 1026 (GetForestTrustInfoHelper). However I have found a solution:

Install KB5011258
https://catalog.update.microsoft.com/Search.aspx?q=5011258

This .NET library call has a fix with the above patch.

I have the product working. I hope this issue is helpful to someone in the future. Thanks for working through this with me.

[abctaylor]

Closing.

[redhook62]

Great !