Home » Archive » Multi Factor Authentication (MFA) Using ADFS 3.0 and Certificates

Multi Factor Authentication (MFA) Using ADFS 3.0 and Certificates

I had to implement MFA using ADFS 3.0 and internally signed certificates in order to authenticate external users against Office 365 services. There were a few niggles along the way but on the whole it was a relatively easy process to complete. The design brief stated that only domain joined devices from outside the corporate LAN can consume Office 365 services. In addition these users must perform multi-factor authentication when outside the corporate LAN only. I am pretty sure that the design could have been achieved using Azure MFA and a few claim rules in ADFS. However, the customer liked the idea of the relatively simple management and roll out that certificate based MFA provides.

In order to set this up you need the following installed and in production:

  • ADFS 3.0 farm
  • WAP
  • Active Directory Certificate Services
  • Web publishing point for your CA revocation lists
  • Port TCP 49443 open inbound to your WAP server VIP

Once you have these pre-requisites in place you can start to configure MFA

1. Create a Security Group in Active Directory call it what you like. This is the group that users need to be a member of to auto enroll for user certificates. e.g. AutoEnrollGroup

2. Next create and link a Group Policy to your Users OU called MFA-Cert_Enrol

Edit the Group Policy and make the following changes

User Configuration/Policies/Security Settings/Public Key Policies

Enable Certificate Client Services – Auto Enrollment



Enable Renew and Update settings


3. In the same Group Policy enable Certificate Services Client – Certificate Enrollment Policy

Enable this and Active Directory settings should be automatically populated


Close Group Policy

4. Open your certificate authority and manage certificate templates. Select the USER certificate template and select duplicate template


5. Change the CA type to your oldest CA server OS. For me it was Server 2012


6. On the General Tab give the template a distinguishable name i.e. MFA Certificate and adjust the validity period as required (3 years for me)


7. On the Request Handling tab, deselect the Allow Export of the Private Key


8. Under the Security tab add the group you created in step 1 and assign the Enroll and Auto Enroll permission



9. Under Extensions select Application Policies and remove all except Client Authentication



10. Go back to your CA and on Certificate Templates, right click and choose New Certificate Template to issue


11. Select the Certificate template you created, e.g. MFA Certificate


12. Confirm you can see the certificate available in your CA


13. Assign a test user to the security group you made in step 1 and logon to a machines to check they have a certificate installed in their personal certificate store


If you have then you have done the hard part!

14. On all ADFS Servers make sure you have allowed TCP port 49443 inbound to these servers on your firewall (if you have one)

2015-05-12_09h57_07 2015-05-12_09h57_27

15. Open the ADFS Management Console and select Authentication Policies and then Edit Multi factor Authentication Policy


16. Select Certification Authority from the Authentication Methods. Note I am not enabling MFA at the global level because there are other Relying Party Trusts I do not want to enable MFA for


17. Select Per Relying Trust Authentication Policies and select Office 365 Identity Platform and then Edith MFA Authentication Policy



18. Under locations select Extranet




19. There should not be a need to configure anything on the WAP servers as these auto publish the ADFS rules within the system. However, ensure port 49443 is not blocked by windows firewall. Also make sure that your external facing firewall NATs 49443 to your WAP servers.

20. Test from External and you should have MFA enabled and working

2015-05-12_09h59_50 2015-05-12_10h00_06 2015-05-12_10h34_13 2015-05-12_10h34_27


If this fails, check your ADFS Event log. I experienced an error 364 which detailed that the certificate that was used failed its chain validation and that one of the CA certificates was not trusted by the ADFS server. I ensured that the CA and intermediate CA certs where in fact in the correct trusted machine stores but this did not make a difference. In my scenario it turned out that the root CA was offline and the root CA was not in the NTAUTH certificate store on the ADFS servers. To resolve this I exported the root CA cert and then applied it to the ADFS servers using the following command

certutil -enterprise -addstore "NTAuth" rootca.cer



Another issue I came across was when accessing the MFA webpage externally the connection would reset and the page no longer displayed. This turned out to be because the WAP servers had been configured with a publishing rule for ADFS. Adding an additional rule in for https://adfs.domain.com:49443 solved this issue for me.


  1. When using a MS CA I found the WAP server failed auth requests from external clients because it could not check the revocation path on the certs. Certs issued by the MS CA had a CDP revocation path with an LDAP URI and non-domain servers such as the WAP server in the DMZ cannot check the revocation path. I tried to change the revocation path to a HTTP URI but this broke the Root CA and Sub CA operation. The only way I got this to work was to use a standalone OpenSSL Certificate Server and specify CDP HTTP URIs that were reachable by both the WAP and ADFS server.

  2. Mark, you are using user certificates for MFA. Is there a way to use a machine certificates as well. I would like to make sure, that the user is using a corporate device.

Leave a Reply to Steve Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: