Wait for ReplayService altough Replay Protection Level is disabled

[derSchweiger]

Hey,

we've experienced (at least in my eyes) a strange behaviour. We've set the "Replay Protection Level" to "Disabled" and I would therefore expect, that no replay protection is enabled at all.

But as soon as the second ADFS server is not available, the MFA validation takes ~15s and you can see the following message in the event logs:

Error on Check Remote Service method : server02.test.local => Could not connect to net.tcp://server02.test.local:5987/ReplayService. The connection attempt lasted for a time span of 00:00:15. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.1.1.20:5987. .

Is that the expected behaviour?

[redhook62]

Hi @derSchweiger

Yes, for some features, it is imperative to restart the MFA service on each ADFS server.
PS> restart-service mfanotifhub
Note that the ADFS service will also be restarted.

[derSchweiger]

Replay Protection has been disabled months ago and we have restarted the hosts multiple times in the meantime.

[redhook62]

Hello, I just ran a test with my 2019 platform in SQL mode.
No problem, I was able to replay the TOTP code from two separate computers, without any messages in the event log.
If you are in AD DS mode, check or force the "Synchro" between your Primary server and your Secondary servers.

[redhook62]

3.1.2508.0