When you’re setting up Microsoft Azure Multi-factor Authentication (Azure MFA) in a setup involving the on-premises MFA Server, and want to use the User portal for registration, you might encounter an error that makes the portal unusable.
Luckily, there’s a solution.
On an on-premises Windows Server installation with the Azure Multi-factor Authentication Server installed, you install the MFA User Portal using MultiFactorAuthenticationUserPortalSetup64.msi from the folder in which the MFA Server is installed (C:\Program Files\Multi-Factor Authentication Server by default) or by using the Install User Portal button in the Graphical User Interface (GUI) of the MFA Server.
The user portal allows employees in the organization to change their preferred second authentication factor. Via the portal they can also activate the Multi-Factor Auth mobile app as their preferred second authentication factor and deactivate activation of lost, stolen or replaced mobile devices, if your policies allow this.
After successful installation and configuration, you visit the User Portal from a browser using /MultiFactorAuth”>/MultiFactorAuth”>https://<hostname>/MultiFactorAuth.
On the login page, you are confronted with a red line stating:
Error communicating with the local Multi-Factor Authentication service. Please contact your administrator.
You cannot log in to the User Portal, even though you configured the right settings in the web.config file for the MultiFactorAuth application in Internet Information Services to communicate to the Multi-Factor Authentication Web Service SDK.
This issue is caused, by incorrect settings for the application pool in Internet Information Services (IIS) for the MultiFactorAuth application.
Due to settings for the Default Application Pool, new Application pools are created with .NET CLR version version 4 and configured in integrated managed pipeline mode.
The applications for the User Portal, the mobile portal and the Web Service SDK all require .NET CLR version 2. Additionally, the Web Service SDK requires classic managed pipeline mode.
Version 6.3.0 of the Multi-Factor Authentication Server contains a bug that prevented the User Portal installer from properly creating the Application Pool in Internet Information Services (IIS). This was fixed in version 6.3.1.
To fix this issue, perform either of these steps:
- Change the Default App Pool before installing the Portals
- Change the application pools for the Multi-factor Authentication portals