One way SMS + OTP in Azure MFA server

Similar Messages

• Mobile Phone App and Azure MFA Server

  I currently have directory sync enabled between my on-premise AD environment and Azure Active Directory, and also enabled multi-factor authentication on my profile. I installed PhoneFactor on my mobile device and am able to use it to verify my identity when
  logging into my O365 OWA account.
  I recently installed and configured the Multi-Factor Authentication Server to enable RADIUS requests for VPN connections, and have successfully tested MFA using the phone call method (when I connect via VPN client, I provide credentials, and receive a call
  to verify my identity, press # and connection is accepted).
  What am having trouble doing is using the mobile app as a method for verification. When I try to connect, I immediately receive 'Login Failed,' and there are no indications in PhoneFactor for an authentication request.
  In the MFA Server logs, I see two entries:
  No device configured for user '[email protected]'
  PfAuth failed for user '[email protected]'. Call status: SKIPPED_USER_INCOMPLETE - "User lacks information required for phone auth".
  I have read guidelines on creating a user portal within my network for self-registration, but I was hoping I could just use the Azure-provided portal.
  Anyone have any ideas why this may be happening?

  At present, the MFA Server user enrollment is completely separate from Azure AD. If you want to use the mobile app with the MFA Server, you need to install the User Portal so that users can generate activation codes and set their MFA method to mobile app.
  Also, for users to activate their mobile apps, you have to install the Mobile App Web Service, which communicates with the MFA Server via the Web Service SDK to validate the activation code generated in the User Portal. Here are links for installing the User
  Portal and Mobile App Web Service.
  https://msdn.microsoft.com/en-us/library/azure/dn394290.aspx
  https://msdn.microsoft.com/en-us/library/azure/dn394277.aspx?f=255&MSPPError=-2147217396

• Azure MFA Server activation fails

  Hi,
  I installed the Azure MFA on my ADFS server and I cant activate it. It fails with 'Activation fails' error.
  All the required ports are opened and I have also tried different internet connections.
  How can I troubleshoot this issue?
  Best,
  Kaido 

  https://social.msdn.microsoft.com/Forums/azure/en-US/20028f79-a4ba-4da0-9aee-287586b87362/mfa-server-activation-failed?forum=windowsazureactiveauthentication
  Now it works again.

• Azure MFA + OTP SMS + IIS (RDWeb

  Hi,
  We are currently deploying a Azure MFA Pilot and have been asked to provide the newly released functionality of a OTP SMS instead of a user having to reply to them. We cannot get this working and we think this is due to us using IIS Authentication.
  Is there a way around this or should it work and we are doing something wrong?
  Many thanks
  Matt

  Hello Matt,
  Thanks for posting here!
  Have you installed Azure MFA on the application server.
  MFA Server Application needs to be installed on Application Server (and if you have a master MFA server installed, the MFA Server installation on your web application server needs to be configured as member of same server group)
  If you need one-way SMS then you can use the ADFS Adapter, RADIUS and the User Portal. In order to work successfully with RADIUS, the system sending the ACCESS request will need to be able to handle an ACCESS CHALLENGE response so that the user can
  be prompted for the OTP.
  Please refer the links below, it might be helpful.
  https://msdn.microsoft.com/en-us/library/azure/dn394291.aspx
  http://dave.harris.uno/installing-and-configuring-azure-multi-factor-authentication-mfa/
  Let me know if you have any questions!
  Regards,
  Sadiqh Ahmed

• One Way email-to-SMS

  Hi again
  In the Q12005 release , and if the setup for one way SMS i.e. email-to-sms is done and working fine, how can I make a setup so that when one userid reeives an email then I will send a notification to the users mobile number with a copy of the SMS? Assuming that the mobile number for the user is stored in the directory along with the ldap attributes? Should I develop a script to send a copy of the email to the user ? but how do the script knows that there is a new incoming email ?

  You need an SMS Gateway to do this. Please take a look at the following examples:
  http://www.visualgsm.com/online_demo2.htm
  http://www.visualtron.com/products_addons.htm

• User Enrollment when you have Azure MFA for Office 365/Azure AD and On-Premise resources

  I'm working on setting up MFA for our company and want to establish the following configuration:
  implement MFA for Office 365/Azure AD/organizational account
  implement MFA for a Windows Server 2008 R2 TS
  i've got things working for Azure AD and have installed the Azure MFA Server on a DC.  where i'm getting stuck is that it looks like you have to set up a user enrollment portal internally and have the users enroll a second time.  we're using Azure
  AD Sync between AD and Azure AD, but we are not interested in ADFS.  is there any way to use the existing Azure AD enrollment for the internal users authentication?
  take care,
  Wylie 

  Not at this time. The MFA Server is currently independent of Azure AD so the MFA enrollment for users are separate. We are working to converge the on-premises and cloud scenarios to make a single enrollment possible for both locations. I don't have a timeline
  to announce at this time, but it is in the works.

• How do I set up Azure Sql Server to have multiple instances?

  Hi all;
  We are setting up a new SAAS application on Azure and while we have used Azure before, not at this level of multiple apps, etc.
  We plan to have both a web app and a cloud app in both a US and EU data center. They need to hit a common database because requests will go to the closest data center via traffic manager and a lot of the data works off of the customer table. And a customer
  (company) can have users in both the U.S. and E.U.
  Is there a way to set up Azure Sql Server so it has instances in both data centers, and Azure keeps them synchronized? If I understand sharding right, that is not what we need as someone hitting either data center could be requesting any of the data in the
  DB.
  thanks - dave
  What we did for the last 6 months -
  Made the world's coolest reporting & docgen system even more amazing

  Hi,
  As far as I am aware, when you set the webapp/cloudapp to connect to a database you will have to specify the connection string in the app. The app will hit the database which is mentioned in the  connection string you have specified. So it is not automatic
  or Traffic manager. You have full control over it as you can tell your app to connect whichever database you want.The database could be located in any region, however the you have to keep latency in mind as the app in US Datacenter could be calling the Database
  in EU, if that is  they way it is setup.
  You can have separate databases in each region and use Azure Data Sync
  to have the database synchronized, however please keep in mind that Azure Data Sync is in Preview.
  Regards,
  Mekh.

• One way trust relationship between different domain windows server 2012 in different forest

  I'd like to build trust correctly between the domains A.local and B.int. A.local is on a Windows 2012 . B.int is on a Windows 2012 . Both machines are
  connected to the same LAN. The forest level in A.local
  machine is Windows Server 2008 and The forest level in B.int
  is Windows server 2012.
  I want a one-way trust relationship, i.e. users from A.local gain access to B.local.
  my problem it i create the trust put when i go to validate the trust between A.Local and B.int give me this error :
   The secure channel (SC) reset on Active Directory Domain Controller \\dc2.B.int of domain B.int to domain A.Local failed with error: There are currently no logon servers available to service the logon request.
  NOTE : Recently I
  UPGRADE THE Active Directory FROM 2008 R2 TO 2012 and i ping on A.local to B.int
  it is ping by name and IP but from b.int ping by IP JUST >>>
  ihab

  Hi,
  yes i already do it the setup conditional forwarding between the 2 domains and
  the firewall it is off 
  ihab

• One way replication from MS sql server to Oracle 10g

  Hi,
  We are using Sql server 2005 windows 2003 32 bit and Oracle 10g 10.2.0.3 on linux 64 bit
  Is it possible to replcate table data on real time from sql server (2005 32 bit or sql server 2000 32 bit)to oracle 10g running on linux 64 bit?
  If yes then what are the steps.
  It will be one way replication from sql server to oracle.
  Which option is best sql server dts or Oracle Stream replication to replicate table data?
  Regards,

  If you want to push data from SqlServer, then ODBC, Linked tables, DTS etc.
  If you want to pull data from Oracle, then Heterogenous Services / Gateway.

• Can AD object attributes be modified on Azure Active Directory when using DirSync for one way synchronization?

  An organization with on premise AD is deploying Office 365. We plan to use DirSync to replicate (no passwords) internal users
  with Azure AD for users to login and will use a third party FIM solution.
  What I'm wondering is though this synchronization is one way (except a couple of fields - no passwords):
  Can an authorized user change attributes of a synched AD object directly on Azure AD?
  If yes, how would such a change be handled during the next synchronization operation?
  Would the value be overwritten to the one in source of truth on premise AD
  Would the value be ignored since there was no ‘change’ in the value at the source of truth on premise AD system?
  Prompt responses would be much appreciated!
  Thanks

  Hi Mike, 
  Thank you for your response. I understand that the master is the on-premise AD. Let me rephrase my question.
  As part of object synchronization, An object X with its 50 attributes is synchronized to Azure AD. 
  Is there any way for an administrator/other role to access and modify any attribute of the synchronized object on Azure AD directly. I understand
  that re-synchronization schedule
  is every 4 hours and at the time of such a synchronization the modified values (if any) will be overwritten restoring 'order'.

• Secure RD Web Access with Azure MFA

  We are keen to deploy RD Web Access for external users but can't find any guidance on securing it with Multi-Factor Authentication (MFA - formerly PhoneFactor).
  We currently use MFA with our RD Gateway for users who connect directly to VMs via RDP but want to give other users access to RemoteApps via RD Web Access with the same two factor authentication.
  Cheers for now
  Russell

  Hi,
  Thank you for posting in Windows Server Forum.
  I am afraid that still there is no direct MFA for RD Web but need to login through RD Gateway which can access as follow. A Remote Desktop login request to RD Gateway that includes Azure MFA looks like this:
  1. User logs into RD Web Access and double clicks a RemoteApp (or desktop connection)
  2. The user’ login credentials for the website are used to validate the user (Web SSO), so no need to give them again.
  3. The user then gets an SMS text message on their smart device that provides them a 6 digit numeric code (the one-time password).
  4. The user replies to the text message by inputting this 6 digit code and adding their unique pre-defined PIN to the end of the sequence – Azure MFA includes the option to require the user know a predefined unique PIN as well, so that replies to a text message
  have to come from the user.
  5. The user is authenticated, and the RemoteApp (or desktop connection) opens.
  More information.
  Step By Step – Using Windows Server 2012 R2 RD Gateway with Azure Multifactor Authentication
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Dharmesh,
  I owe you an apology, I'd forgotten that when you access RD Web Access you're only downloading an RDP file which then uses the RD Gateway to connect the client to the RemoteApp. If we already have the RD Gateway in place and configured with MFA this will
  produce the required result.
  Sorry
  Russell

• Alternatives for one-way pager?

  Hi,
  This is not a question about a programming problem, but more about directions to search for. Hope you don't mind.
  At my company we use pagers to get informed about states of systems we monitor.Sending a pager message costs money. I am asked to look at how much time I would need to develop an alternative for the pager system.
  Before starting to think about time to develop, I would like to spend some time to research alternatives of the pager system. The advantage of a one-way pager is that the pager keeps on beeping until the user acknowledges the message. The company we use to send out the pager messages guaranties the pager messages are received by the recipient. The disadvantage is that no read receipt is send back to the server. So if the pager is turned off you will never know the message is received.
  Alternatives for the pager system are:
  1. Logging in into a server from a Midlet and regularly polling this server for information that otherwise would have been send to the pager. When such information is available, signal the user acoustically, until (s)he acknowledges receipt of the information (like the nagging the pager does);
  2. Send a SMS with a read-confirmation-request. When the recipient reads the SMS containing the information, send a SMS back to the server;
  Both methods use notify receipt/read back to a central server so you know the message is received. When such a notification is not received a message to the pager could be sent anyway.
  So, my question is, do you know any other alternatives?
  Abel

  Hi tarkin,
  iChat needs to be talking to another iChat 3 user.
  They have to be displayinga Stacked Video icon to you in the Buddy list.
  12:45 PM Friday; June 16, 2006

• Configure one way outbound hybrid search

  I have been trying to configure one way outbound hybrid search but in the process getting no search results from SharePoint Online.
  I have created a SharePoint Farm on windows azure. I have installed Active Directory on one server which will act as my domain controller. I have one DB server and one SharePoint server. Besides this I have created another server which I have used for Synchronization
  purpose. I have used Azure Active Directory Connect to sync my users to SharePoint Online. 
  As far as the syncing part is concerned, I have been able to do the same. 
  Now, for configuring one way outbound search, I have followed the steps like
  1. Creating self signed certificate and replacing the STS certificate on my SharePoint server.
  2. Configured S2S authentication using PowerShell.
  3. Necessary services are up and running.
  4. Result Source and Query Rule for SPO.
  I can see the ACS trust established in the Central Admin. 
  Also I have verified that the UPN is same.
  When I create the Result Source, (used protocol as Remote with SPO url) I don't see the SPO results. Although if i test the connection, it comes as successful.
  I can just see SharePoint on-premise results.
  Below are the links that I have referred in setting up my environment
  http://blogs.msdn.com/b/spses/archive/2013/10/22/office-365-configure-hybrid-search-with-directory-synchronization.aspx
  http://blogs.technet.com/b/wbaer/archive/2014/03/24/one-way-outbound-hybrid-search-step-by-step-and-onedrive-for-business.aspx
  https://technet.microsoft.com/en-us/library/dn607305.aspx
  https://technet.microsoft.com/en-us/library/dn197169(v=office.15).aspx
  http://sharepointconnoisseur.blogspot.in/2015/01/ultimate-procedure-to-display.html
  Any inputs in this regards would be really helpful !Thanks,
  Geetanjali
  Geetanjali Arora | My blogs |

  Hi Geetanjali,
  Based on your description, I recommend to verify the things below:
  Check if the web application has configured to use Integrated Windows authentication using NTLM as authentication type in SharePoint server.
  Check if the testing account for doing search is a federated user account.
  https://technet.microsoft.com/en-us/library/dn607319.aspx
  Thanks,
  Victoria
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Victoria Xia
  TechNet Community Support

• SCCM 2012 R2 cross forest with one-way trust feasible?

  We are planning to replace our existing SMS 2003 server with SCCM 2012 R2 (running on Windows server 2012 R2).
  Our requirements are to support client our Windows 7 client PC's in Domain A and also support Xen Desktop clients in a separate domain (Domain B) and forest. We have a one way trust established (Domain B trusts Domain A). The SCCM 2012 R2 server will be
  in Domain A the same as our current SMS 2003 server.
  What we want to do, at a minimum, using SCCM is:
  Client inventory (hardware, software, user) and package distribution.
  Is this do able or a no go? If not directly is there any work-around for this? Appreciate any helpful advice or feedback.
  I have made the below diagram to better illustrate the scenario:
  Note: Domain B does not have WINS implemented (Domain A does). Both domains are running DNS of course.

  Hi,
  The following blog describes the technical requirements that have been put in place for the support of cross forest communication. You could have a look.
  Quote:
  Inner-site Communication (site to site communication) exists in the form of both File Based Replication (SMB Port 445) and Database Replication (TCP/IP port 4022 by default).
  In order to install and configure a child site (primary or secondary), the child site server must be located in the same forest as the parent site or reside in a forest that contains a
  two way trust with the forest of the parent (CAS or primary).
  Site System Roles (MP, DP, etc.) with the exception of the Out of Band Service Point and the Application Catalog Web Service Point can be deployed in an untrusted forest.
  The SLP functionality as known in ConfigMgr 2007 is now performed by a Management Point. In this blog I will refer to this as the Lookup Management Point.
  Most of these items were taken from this TechNet article – please refer to the article for more information -
  Planning for Communications in Configuration Manager .
  For more information:
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.
  Thank you for your reply. The below appears to make it seem as though this can be accomplished without requiring a trust:
  http://blog.coretech.dk/kea/multi-forest-support-in-configmgr-2012-part-i-managing-clients-in-an-untrusted-forest/#comment-284522
  Not sure which is correct...

• Redundant Azure MFA on-premise - second RADIUS proxy keeps shutting down

  Are the MFA replicas meant to be full-service nodes (capable of handling authentications while replicating from the master)?   
  My second Azure MFA instance replicates just fine but it stops the RADIUS proxy service a few minutes after I manually restart the service.   This stop seems to be happening after each replication.
  From the MultiFactorAuthRadiusSvc.log file
  2014-10-07T21:00:54.581716Z|0|1956|3764|pfradsvc|RadProxy Constructing PfSvcClient...
  2014-10-07T21:00:54.581716Z|0|1956|3764|pfradsvc|RadProxy PfSvcClient constructed successfully.
  2014-10-07T21:00:54.581716Z|w|1956|3764|pfradsvc|Calling RadProxy main().
  2014-10-07T21:00:54.581716Z|0|1956|3500|pfradsvc|Config polling thread entry.
  2014-10-07T21:00:54.581716Z|w|1956|3500|pfradsvc|Calling config polling main().
  2014-10-07T21:03:01.191901Z|i|1956|3004|pfradsvc|handlerEx: SERVICE_CONTROL_STOP
  2014-10-07T21:03:01.191901Z|i|1956|3232|pfradsvc|Shutting down.
  2014-10-07T21:03:01.191901Z|0|1956|3232|pfrad|Shutdown.
  From the MultiFactorAuthSvc.log
  2014-10-07T21:03:01.176275Z|0|1120|2052|slave|Received 573440 bytes in 0.265622 s.
  2014-10-07T21:03:01.176275Z|0|1120|2052|slave|Implying a 17.271 Mbps lower bound for channel bandwidth.
  2014-10-07T21:03:01.176275Z|i|1120|2052|slave|Txns writtenTsn = 24896.
  2014-10-07T21:03:01.176275Z|i|1120|2052|slave|Txns complete = true.
  2014-10-07T21:03:01.176275Z|i|1120|2052|slave|Txns pbvi = 0x0000000001DD0000.
  2014-10-07T21:03:01.176275Z|i|1120|2052|slave|replace_current_amdf new = 'C:\Program Files\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata_n_8859344C.tmp'.
  2014-10-07T21:03:01.176275Z|i|1120|2052|slave|replace_current_amdf old = 'C:\Program Files\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata_o_8859344C.tmp'.
  2014-10-07T21:03:01.176275Z|i|1120|2052|slave|replace_current_amdf new - 573440 bytes.
  2014-10-07T21:03:01.176275Z|0|1120|2052|slave|Flushed.
  2014-10-07T21:03:01.176275Z|0|1120|2052|slave|Loading update.
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|SDF_NTB() entry.
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|fileVersion = 0x00000015 = 21
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|minReaderVer = 0x00000015 = 21
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|minModifierVer = 0x00000015 = 21
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|offsetFirstSbBegin = 0x0000000000000400 = 1024
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|offsetLastSbEnd = 0x000000000008C000 = 573440
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|tsnNext = 0x0000000000006141 = 24897
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|tsnWritten = 0x0000000000006140 = 24896
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|tsnFlushReqd = 0x0000000000006140 = 24896
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|tsnFlushed = 0x000000000000613E = 24894
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|SDF_NTB() exit.
  2014-10-07T21:03:01.176275Z|0|1120|2052|SDF,persist|Loading SDF content . . .
  2014-10-07T21:03:01.191901Z|0|1120|2052|SDF,persist|SDF content loaded, 0.015626 s.
  2014-10-07T21:03:01.191901Z|0|1120|2052|slave|Update loaded.
  2014-10-07T21:03:01.191901Z|0|1120|2052|slave|Moving 'C:\Program Files\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata' to 'C:\Program Files\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata_o_8859344C.tmp'.
  2014-10-07T21:03:01.191901Z|0|1120|2052|slave|Moving 'C:\Program Files\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata_n_8859344C.tmp' to 'C:\Program Files\Multi-Factor Authentication Server\Data\PhoneFactor.pfdata'.
  2014-10-07T21:03:01.191901Z|i|1120|2052|pfsvc|Attempting to stop 'MultiFactorAuthRadiusSvc' service.
  2014-10-07T21:03:01.191901Z|i|1120|2052|pfsvc|Requested stop of 'MultiFactorAuthRadiusSvc' service.

  I found the issue, one must enable the replica servers to act as RADIUS proxies.   Additional MFA servers are not enabled for RADIUS automatically (even if the master is).