Multi Factor Authentication (MFA) Using ADFS 3.0 and Certificates

I had to implement MFA using ADFS 3.0 and internally signed certificates in order to authenticate external users against Office 365 services. There were a few niggles along the way but on the whole it was a relatively easy process to complete. The design brief stated that only domain joined devices from outside the corporate LAN can consume Office 365 services. In addition these users must perform multi-factor authentication when outside the corporate LAN only. I am pretty sure that the design could have been achieved using Azure MFA and a few claim rules in ADFS. However, the customer liked the idea of the relatively simple management and roll out that certificate based MFA provides.

In order to set this up you need the following installed and in production:

• ADFS 3.0 farm
• WAP
• Active Directory Certificate Services
• Web publishing point for your CA revocation lists
• Port TCP 49443 open inbound to your WAP server VIP

Once you have these pre-requisites in place you can start to configure MFA

1. Create a Security Group in Active Directory call it what you like. This is the group that users need to be a member of to auto enroll for user certificates. e.g. AutoEnrollGroup

2. Next create and link a Group Policy to your Users OU called MFA-Cert_Enrol

Edit the Group Policy and make the following changes

User Configuration/Policies/Security Settings/Public Key Policies

Enable Certificate Client Services – Auto Enrollment

Enable Renew and Update settings

3. In the same Group Policy enable Certificate Services Client – Certificate Enrollment Policy

Enable this and Active Directory settings should be automatically populated

Close Group Policy

4. Open your certificate authority and manage certificate templates. Select the USER certificate template and select duplicate template

5. Change the CA type to your oldest CA server OS. For me it was Server 2012

6. On the General Tab give the template a distinguishable name i.e. MFA Certificate and adjust the validity period as required (3 years for me)

7. On the Request Handling tab, deselect the Allow Export of the Private Key

8. Under the Security tab add the group you created in step 1 and assign the Enroll and Auto Enroll permission

9. Under Extensions select Application Policies and remove all except Client Authentication

10. Go back to your CA and on Certificate Templates, right click and choose New Certificate Template to issue

11. Select the Certificate template you created, e.g. MFA Certificate

12. Confirm you can see the certificate available in your CA

13. Assign a test user to the security group you made in step 1 and logon to a machines to check they have a certificate installed in their personal certificate store

If you have then you have done the hard part!

14. On all ADFS Servers make sure you have allowed TCP port 49443 inbound to these servers on your firewall (if you have one)

15. Open the ADFS Management Console and select Authentication Policies and then Edit Multi factor Authentication Policy

16. Select Certification Authority from the Authentication Methods. Note I am not enabling MFA at the global level because there are other Relying Party Trusts I do not want to enable MFA for

17. Select Per Relying Trust Authentication Policies and select Office 365 Identity Platform and then Edith MFA Authentication Policy

18. Under locations select Extranet

19. There should not be a need to configure anything on the WAP servers as these auto publish the ADFS rules within the system. However, ensure port 49443 is not blocked by windows firewall. Also make sure that your external facing firewall NATs 49443 to your WAP servers.

20. Test from External and you should have MFA enabled and working

Troubleshooting

If this fails, check your ADFS Event log. I experienced an error 364 which detailed that the certificate that was used failed its chain validation and that one of the CA certificates was not trusted by the ADFS server. I ensured that the CA and intermediate CA certs where in fact in the correct trusted machine stores but this did not make a difference. In my scenario it turned out that the root CA was offline and the root CA was not in the NTAUTH certificate store on the ADFS servers. To resolve this I exported the root CA cert and then applied it to the ADFS servers using the following command

certutil -enterprise -addstore "NTAuth" rootca.cer

Another issue I came across was when accessing the MFA webpage externally the connection would reset and the page no longer displayed. This turned out to be because the WAP servers had been configured with a publishing rule for ADFS. Adding an additional rule in for https://adfs.domain.com:49443 solved this issue for me.

Mark Vale

Mark is an Independent Microsoft Teams Consultant with over 15 years experience in Microsoft Technology. Mark is the founder of Commsverse, a dedicated Microsoft Teams conference and former MVP. You can follow him on twitter @UnifiedVale

www.valeconsulting.co.uk