Symptoms
Multi-Factor Authentication (MFA) fallback authentication fails through the Active Directory Federation Services (ADFS) Proxy.
Cause
This issue occurs because of a hard-coded time-out limit in ADFS proxy code. When the time-out occurs, you are prevented from accessing applications.
Resolution
To fix this issue, install the May 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (KB3156418).
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
Configuring time-out example
Following is an example of the Windows Management Instrumentation (WMI) way of updating time-out:-
Commands to update time-out need to be executed in the elevated PowerShell mode on the proxy computer. The steps are as follows:
$x=Get-WmiObject -class ProxyService -namespace root/ADFS
$x.CongestionControlConnectionTimeout=300 $x.put() -
The example sets time-out to 300 seconds (5 minutes), reflected in C:\windows\adfs\Config\microsoft.proxyservice.config.txt.
Note Always configure connectionTimeoutInSec in C:\windows\adfs\Config\microsoft.proxyservice.config.txt by using WMI as explained above. We don't recommend you configure connectionTimeoutInSec manually.
Uninstallation information If you uninstall the package, the timeout settings are still in the file. Therefore, when you restart the proxy service, it fails stating that connectionTimeoutInSec (previous entry) is unknown. To fix this, manually remove the connectionTimeoutInSec property from the config file.References
Learn about the terminology that Microsoft uses to describe software updates.