ADFS Adapter Issues With Upgrading MFA 6.3.1 to Version 7

Upgrading the ADFS Adapter is not straight forward, though the readme notes for the upgrade make no mention of issues!

To upgrade MFA Server 6.3.1 to 7 (so you can remove .NET 2 as a requirement, as that goes out of support soon) then you need to download the MFA installer to each MFA server and run the installation. Once the installation is complete and you restart the MFA admin application you are prompted about the upgrade for the User Portal, the SDK and you need to update the Mobile App software. You are also required to update the ADFS Adapter – which is great, as the ADFS Adapter has new features in version 7.

But this bit is broken. The ADFS Adapter name has changed and so when you restart the ADFS Server you get the following four errors in the AD FS Admin Event Log:

An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: WindowsAzureMultiFactorAuthentication
Context: Passive protocol pipeline

Additional Data
Exception details:
The external authentication method pfadfs.AuthenticationAdapter, MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35 could not be loaded. Could not load file or assembly ‘MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.

and

An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: WindowsAzureMultiFactorAuthentication
Context: Passive protocol TLS pipeline

Additional Data
Exception details:
The external authentication method pfadfs.AuthenticationAdapter, MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35 could not be loaded. Could not load file or assembly ‘MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.

and

An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: WindowsAzureMultiFactorAuthentication
Context: Proxy TLS pipeline

Additional Data
Exception details:
The external authentication method pfadfs.AuthenticationAdapter, MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35 could not be loaded. Could not load file or assembly ‘MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.

and

An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: WindowsAzureMultiFactorAuthentication
Context: Proxy device TLS pipeline

Additional Data
Exception details:
The external authentication method pfadfs.AuthenticationAdapter, MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35 could not be loaded. Could not load file or assembly ‘MultiFactorAuthAdfsAdapter, Version=6.3.0.17452, Culture=neutral, PublicKeyToken=31bf3856ad364e35’ or one of its dependencies. The system cannot find the file specified.

Each of these errors have Event ID 105 and the Event Source is AD FS.

To fix these errors you need to unregister the MFA ADFS Adapter by its old name. The cmdlet for doing this is Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthentication. This is run from an admin PowerShell instance on the primary ADFS Server. The MFA documentation says that you can use .\Register-MultiFactorAuthenticationAdfsAdapter.ps1 and .\Unregister-MultiFactorAuthenticationAdfsAdapter.ps1 to add and remove the adapter from ADFS, but as the adapter name has changed if you use the MFA provided scripts it will only unregister/register the new version of the adapter and leave the old in place.

As you can see from the screenshot below, the ADFS Adapter appears as the Azure Multi-Factor Authentication Server, but it used to be called the Windows Azure Multi-Factor Authentication Provider and so this is the source of the upgrade issue. The upgrade replaces the old named adapter with the new named adapter and does not remove the old named adapter in ADFS’s database!

Once User Portal, Adapter, MFA App and SDK are upgraded you can uninstall .NET 2 from your Windows Server 2012 R2 MFA boxes