Strange behaviour on apple devices & question to event ids

[ripper2k10]

Hello @redhook62 ,

we have a strange problem, mainly with users with Apple devices and there mostly in connection with Safari, but also from time to time with Firefox on apple.
When entering the TOTP token after logging in with username and password, they often only get the message "The operation was completed successfully", when re-entering the same or possibly new token, the login occurs and the user is redirected to the actual page.

In the windowseventlog we also find errors in the following application logs ADFS MFA DataServices and ADFS MFA Service.

We have several log entries with the eventid 900, for example:
System
Provider
[ Name] ADFS MFA Service
EventID 900
[ Qualifiers] 0
Level 2
Task 0
Keywords 0x80000000000000
TimeCreated
[ SystemTime] 2021-12-08T09:28:38.035871700Z
EventRecordID 697506
Channel Application
Computer
Security
EventData
AuthenticationProvider:TryEndAuthentication Error : :

Last Friday I ran the powershell command Refresh-MFAConfigurationCache on the primary adfs server (dont know what this command exactly does), which caused the adfs mfa module to temporarily stop working, but after an adfs service restart everything was fine again.
I ran this cmdlet because i wanted to change the webtheme for a relyingparty to the default webtheme and reset-mfathemelist didn't help. The login page changed to default, but after login the mfa pages still apeared in the non default theme.
What should be mentioned is that the errors with eventid 900 occurred before and after the refresh. Ok, they disappeared for about 5 days, but now they are back again and the metioned behaviour of apple devices described above was back too.

However, at the time of refreshing the MFA cache and restarting the ADFS services, there were other error messages in the eventviewer logs mentioned above:
EventID 666: Error decrypting value for Pass Phrase Encryption : The key set does not exist.
EventID 666: Error decrypting value for ADDS Super Account Password : The key set does not exist.
EventID 666: Error decrypting value for Mail Provider Account Password : The key set does not exist.
and immediately after that the following EventID three times:
EventID 5100: The username or password is incorrect.

Our ADFS environment is set up as follows, all servers are Windows Server 2019:
2 internal ADFS servers, one of them is the primary one, the ADFS MFA module Version 3.1.2108 is installed on both of them, configuration changes are actually made only on the primary ADFS server.
2 ADFS web proxies
The ADFS token information is stored in the ADDS.

Does anyone have any idea what the problem described above could be with the Apple devices?
Unfortunately, I don't know if this Apple problem is directly related to the event log entries.

Is there documentation or something for the event log entries where you can read more detailed information or is there advanced logging for error analysis?

Thank you very much in advance for the help.

Greetings,
Christoph

[redhook62]

Hi, @ripper2k10

Indeed, we are trying to solve a problem with Apple Desktop devices (Mac Os X), but especially with Safari on these models.

You can get the version I made for @PsySuck here TouchID Safari at the end
but the feedback is empirical and poorly documented. I expect a return from him.

In my opinion this version will be the next release in December.
Please note that this version of debug writes a good number of events in the eventlog, and should not be used in production.
I can confirm that the current version works very well with Apple mobile devices (iPhone and iPad).

Your problem must be caused by an exception, browser's userAgent is NULL.
This is the new fashion ... for browser editors, under the guise of securing your surfing, the basic properties of the language and the type of browser are sometimes inaccessible, especially with Safari desktop. of course, this is linked to biometric authentication and Apple's restrictions. see : Apple's Blog

Then, for PowerShell commands,
Refresh-MFAConfigurationCache can and should be run on the server whose configuration is no longer up to date.

Note that the MFA configuration is stored in the database of your primary AD FS server, and is replicated to your secondary servers by default every 5 minutes or when restarting the AD FS service.

Since a year, for performance-related issues (extracting the config from the ADFS database takes time) we decided to store the MFA Configuration in cache on disk (c:\Programs\MFA\Config\ config.db)

This file is copied immediately to all the secondary servers (which can then have in their local database an obsolete version with respect to its cache and the main server) to immediately reflect all the modifications made.
you must have correctly registered your servers with the MFA and have opened the firewall with the cmdlet Set-MFAFirewallRules

by restarting the MFA Notification Hub service, the cache files are recreated and dispatched, the ADFS service is restarted.
The encryption keys stored by the operating system are also automatically deployed on all your servers.

However, check that your AD FS servers are replicating correctly.

If you install the test version.
Please first save your configuration with the Export-MFASystemConfiguration applet.
in this case, you can go back by reinstalling your version and integrating the saved version of your configuration with Import-MFASystemConfiguration

regards

redhook

You can test with version 3.1.2201.0