Using RADIUS with AD FS MFA

Active Directory Federation Services, AD-FS, is the de facto identity provider in a Microsoft environment. Many organizations will be using it to authenticate Office 365 users to an on-premise Active Directory. Support amongst cloud service providers is growing, allowing you to authenticate not just O365 users but users of a variety of business applications.

In certain circumstances, you may want to require multi-factor authentication (MFA). Out the box, AD-FS only provides support for X.509 certificates. Thankfully there’s the concept of Authentication Adapters, allowing you to develop your own MFA plug-in. I’ve developed a quick RADIUS plugin that allows you to prompt users to enter a one-time PIN and send the response to a RADIUS server, along with the accounts userPrincipalName, for validation.

RADIUS Authentication Adapter

The software is open-source and licensed under the GPL and relies on the excellent Radius.Net library.

Download

I strongly recommend compiling your own version rather than downloading a DLL and installing it into your AD FS servers. If you’re comfortable with the risks of that, you can download it from the links below.

Download Sourcecode (C#, 4.5)
Download Binaries (Version 1.0).

Installation

The below instructions cover installation into AD FS and make no attempt to document any RADIUS/NPS configuration.

  1. Extract the zip file to a convenient location and open install.ps1 in your favorite editor;
  2. Ammend the variables in install.ps1 to match your RADIUS server, shared key and any ports needed;
  3. From an elevated PowerShell prompt, run install.ps1
  4. Restart the AD FS service to complete registration
  5. If you have multiple AD FS servers in your farm, repeat the process on each but press CTRL-C when promtped to register the authentication adapter

DCDiag error after upgrading to DFS-R

After switching a domain to use DFS-R rather than FRS for SYSVOL replication you may experience the following error when running dcdiag.exe

      Starting test: VerifyReferences
         Some objects relating to the DC LONDON have problems:
            [1] Problem: Missing Expected Value
             Base Object:
            CN=LONDON,OU=UK,OU=Domain Controllers,DC=nwtraders,DC=msft
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: frsComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862
 
         ......................... LONDON failed test VerifyReferences

DFR-S replication of the SYSVOL replication group looks to be otherwise healthy.

This error is caused by some poor logic in dcdiag.exe when the domain controllers have been moved from the default “Domain Controllers” OU. If you move the domain controllers back to the default “Domain Controllers” OU the error will disappear. However, leaving them where they are is likely to cause no problems, other than give you a dcdiag.exe error.

Microsoft plan to fix this in Windows Server 2012.
Continue reading DCDiag error after upgrading to DFS-R

Replication errors after adding a 2008 R2 DC

I was recently working on adding some 2008 R2 DCs to a 2003-only AD environment as part of a wider plan to upgrade them all in the next 12 months or so. As soon as I added the first DC I noticed something was up, replication wasn’t working. The Event log on the new 2008 R2 DC was filled with Event ID 1645:

Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.

Destination directory server:

vvvvvvvv-wwww-xxxx-yyyy-zzzzzzzzzzzz._msdcs.domain.com

SPN:

aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee/vvvvvvvv-wwww-xxxx-yyyy-zzzzzzzzzzzz/domain.com@domain.com

User Action

Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server’s account data to replicate to the KDC before this directory server can be authenticated.

Continue reading Replication errors after adding a 2008 R2 DC