Azure MFA Server PhoneFactor Admins group

Long time no post!

Been working with an implementation of Azure MFA On-Premises Server, and encountered some issues while enabling replication between servers. Multi-tenancy means that my regular user does not necessarily have the required permissions to create group in domain-> users container.

I first tried to do Certificate authentication between them, but this lead to the following error messages in authsvc-log:

2018-08-30T08:33:29.639441Z|0|1556|3432|rpcDefibrillator|pre_throwRpcStatusCxxException() current seqN=2
2018-08-30T08:33:29.639441Z|0|1556|3432|rpcDefibrillator|Marking RPC connection seqN 2 suspect.
2018-08-30T08:33:29.639441Z|e|1556|3432|rpc|Access is denied. (0x00000005 = 5)

I then did some research on the PhoneFactor Admins group, because I wanted to pre-create this with an admin account. Turns out this is supposed to reside in the default Users container, and there is no documentation on changing the location of this group.

Because of said AD config, I still wanted to try creating the group in a specific customer OU. Created the group, added MFA servers and my user account to group, and the replication started working.

Bottom line: PhoneFactor Admins group can be pre-created in a custom OU before running Multi-Server Configuration Wizard in MFA Server GUI. Authentication has not been tested with the User Portal yet.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.