KnowledgeBase: When you activate the Microsoft Authenticator App you receive “The remote server returned an error: NotFound”

I’ve written about the Multi-Factor Authentication server quite extensively. I’ve been pretty content with text messages for authentication, but since DRAFT NIST Special Publication 800-63B, Out-of-Band (OOB) using the PSTN (SMS or voice) is deprecated (ref 5.1.3.2) I’ve been taking a closer look at the Microsoft Authenticator app.

 

The situation

Microsoft’s on-premises Multi-Factor Authentication Server and the accompanying Azure MFA Service, luckily, supports more authentication methods, besides voice calls and text messages (in random order):

  1. Phone call
  2. Two-way SMS
  3. Two-way SMS with PIN
  4. One-way SMS
  5. One-way SMS with PIN
  6. OATH token
  7. Mobile App

I’ve done an extensive review of the pros and cons of each authentication method, so I decided to take a closer look at the Mobile App, especially, since Microsoft has put quite some work in it recently.

To this purpose, I added the Multi-Factor Authentication Mobile Portal to an existing Multi-Factor Authentication Server implementation.

I then logged on to the Multi-Factor Authentication User Portal with a user account, performed the second authentication method assigned to the user account and choose Activate Mobile App from the menu in the left pane.

Screenshot of the Activate Mobile App screen in the MFA User Portal (click for original screenshot)

The issue

After I hit the Generate Activation Code and scanned the barcode with my phone, the app responded with an error:

The remote server returned an error: NotFound

 

The cause

The existing Multi-Factor Authentication Server implementation, I reused to this purpose, uses a TLS certificate that was issued by a private Certification Authority (CA).

Although the root certificate was added to the certificate store of the phone and any desktops with the root certificate installed gain access to the Mobile Portal without problems, the certificate will not work on phones.

 

The solution

To make the Microsoft Authenticator app work, use a publicly trusted TLS certificate with your Multi-Factor Authentication (MFA) Server Mobile Portal(s).

 

Related blogposts

Choosing the right Azure MFA authentication methods 
Microsoft Authenticator – One easy-to-use app for all your MFA needs

Further reading

Time is running out for this popular online security technique

leave your comment