Multi-Factor Authentication (MFA) fallback authentication fails through the Active Directory Federation Services (ADFS) Proxy.
This issue occurs because of a hard-coded time-out limit in ADFS proxy code. When the time-out occurs, you are prevented from accessing applications.
To fix this issue, install the May 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (KB3156418).
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Configuring time-out example
Following is an example of the Windows Management Instrumentation (WMI) way of updating time-out:
Commands to update time-out need to be executed in the elevated PowerShell mode on the proxy computer. The steps are as follows:
$x=Get-WmiObject -class ProxyService -namespace root/ADFS
The example sets time-out to 300 seconds (5 minutes), reflected in C:\windows\adfs\Config\microsoft.proxyservice.config.txt.
Note Always configure connectionTimeoutInSec in C:\windows\adfs\Config\microsoft.proxyservice.config.txt by using WMI as explained above. We don't recommend you configure connectionTimeoutInSec manually.
If you uninstall the package, the timeout settings are still in the file. Therefore, when you restart the proxy service, it fails stating that connectionTimeoutInSec (previous entry) is unknown. To fix this, manually remove the connectionTimeoutInSec property from the config file.
Learn about the terminology that Microsoft uses to describe software updates.