ExternalAuthenticationHandler.Process() exception: System.Net.WebException: The request failed with HTTP status 405: Method Not Allowed

It’s turning into a month of school-boy/layer-8 issues.  Evidently I need to slow down!  Smile

Scenario

You are integrating Windows Server 2012 R2 Active Directory Federation Services (AD FS), a.k.a. AD FS 3.0, with an on-premises Azure Multi-Factor Authentication (MFA) Server.  The Azure MFA Server is a separate server to AD FS and you have successfully verified that the Azure MFA SDK web service is correctly installed and operational.

You have installed the Azure MFA AD FS agent on each of your federation Service (FS) servers and registered the secondary authentication provider.

Issue

When you invoke MFA authentication fails and the following error is logged in the AD FS tracing event log.

ExternalAuthenticationHandler.Process() exception: System.Net.WebException: The request failed with HTTP status 405: Method Not Allowed. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at pfadfs.pfwssdk.PfWsSdk.CanonicalizeUser(String username, String& canonicalUsername, Error& error) at pfadfs.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.IsAvailableForUser(Claim identityClaim, IAuthenticationContext authContext) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context) Identifier: WindowsAzureMultiFactorAuthentication, ContextId: b1f69385-e8d9-4fae-82c4-09234a5e5294

 

The Azure MFA adapter configuration file is as follows (for simplicity I’m using username and password, I imagine you’ll be using a certificate, but it’s unimportant for this particular issue):

<ConfigurationData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <UseWebServiceSdk>true</UseWebServiceSdk>
    <WebServiceSdkUrl>https://mfa.abstractsynapse.com/MultiFactorAuthWebServiceSdk</WebServiceSdkUrl>
    <WebServiceSdkUsername>EMEA\svc-amfa</WebServiceSdkUsername>
    <WebServiceSdkPassword>YourPasswordGoesHere</WebServiceSdkPassword>
    <WebServiceSdkCertificateThumbprint></WebServiceSdkCertificateThumbprint>
</ConfigurationData>

Resolution

Enter the Web Service SDK URL correctly!

You must remember to include pfwssdk.asmx in the WebServiceSdkUrl element, e.g.

<WebServiceSdkUrl>https://mfa.abstractsynapse.com/MultiFactorAuthWebServiceSdk/pfwssdk.asmx</WebServiceSdkUrl>

Important.

If you change the configuration you must unregister the adapter and register it again – bouncing the service won’t pick-up the configuration as it’s written into the AD FS configuration database during registration only.

More information

If you do bounce the service you will actually notice an issue with the configuration when the /pfwssdk.asmx is missing from the <WebServiceSdkUrl> endpoint.

Event ID: 105.
Source: AD FS.
Description: An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Identifier: WindowsAzureMultiFactorAuthentication
Context: Proxy TLS pipeline

Advertisements

About Paul Williams

IT consultant working for Microsoft specialising in Identity Management and Directory Services.
This entry was posted in AD FS, Azure, Azure MFA and tagged , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s