MFA fallback authentication fails through ADFS Proxy in Windows Server 2012 R2

Symptoms

Multi-Factor Authentication (MFA) fallback authentication fails through the Active Directory Federation Services (ADFS) Proxy.

Cause

This issue occurs because of a hard-coded time-out limit in ADFS proxy code. When the time-out occurs, you are prevented from accessing applications.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

Configuring time-out example

Following is an example of the Windows Management Instrumentation (WMI) way of updating time-out:
  • Commands to update time-out need to be executed in the elevated PowerShell mode on the proxy computer. The steps are as follows:
    $x=Get-WmiObject -class ProxyService -namespace root/ADFS
    $x.CongestionControlConnectionTimeout=300
    $x.put()
  • The example sets time-out to 300 seconds (5 minutes), reflected in C:\windows\adfs\Config\microsoft.proxyservice.config.txt.
Note Always configure connectionTimeoutInSec in C:\windows\adfs\Config\microsoft.proxyservice.config.txt by using WMI as explained above. We don't recommend you configure connectionTimeoutInSec manually. 

Uninstallation information

If you uninstall the package, the timeout settings are still in the file. Therefore, when you restart the proxy service, it fails stating that connectionTimeoutInSec (previous entry) is unknown. To fix this, manually remove the connectionTimeoutInSec property from the config file.

References

Learn about the terminology that Microsoft uses to describe software updates.
Proprietăți

ID articol: 3148533 - Ultima examinare: 17 mai 2016 - Revizie: 1

Feedback