Building application from source code and future enhancements

[apr-un]

Hi @redhook62

I prepared some enchancements to Biometric process (client side, mainly for better flow and user experience) and I want to share them. I had several problems with application building/compiling from source code, but at last I've managed to do it successfully on ADFS2019 in version v3.12105.0.
I had to do several adjustments to source code first, and I'm not really sure if I'was doing it correctly, so I'll try to describe my process. Please correct me where it should be done differently :)

1. I download code from this git repo and open it in VS(2019), and press Build - then I see over hundred errors (mainly due to lack of compiled dlls from wix project or missing pfx files). I have to retarget 'NativeResources' project to Windows SDK 10.0 (latest version), and PlatformVersion to v142 (vs2019).

2. I go to DataTypes project (because no dependency to other projects) and sign it with new password protected file with name 'Neos.IdentityServer'. This one project should build correctly now.

3. I go to every project which has missing pfx file and select the same file 'Neos.IdentityServer.pfx' from DataTypes project. Now few other projects should build.

4. Building solution is still not possible due to several errors looking like:
   Friend access was granted by 'Neos.IdentityServer.MultiFactor.DataTypes, Version=3.0.0.0, Culture=neutral, PublicKeyToken=79dcaed57e22cca7', but the public key of the output assembly ('00240000048....009af5ac298231142f23f44c0') does not match that specified by the InternalsVisibleTo attribute in the granting assembly.

5. To fix that I use procedure from AssemblyInfo.cs to get corrected public key and public key token for my signature file (pfx)

6. In VS developer command line I go to folder with pfx file (in DataTypes project) and execute two commands:
   sn -p Neos.IdentityServer.pfx Neos.IdentityServer.publickey
   then
   sn -tp Neos.IdentityServer.publickey

This should show publickey (in multiple lines) and token. Public key have to be copied in single line(!):
`Public key (hash algorithm: sha1):
00240000048000009400000006020... 298231142f23f44c0

Public key token is 79d...cca7`

Now I can use this generated public key(long line) and replace with it ALL public keys in lines with 'InternalsVisibleTo' in all AssemblyInfo.cs files (should be 19 lines and 5 files)

7. 'Friend access...' errors are now gone, but this replacing looks improper to me :(
   Maybe these values can be loaded from app settings or some resource?

8. Solution still cannot be build at this point, because I get error in SAS.Azure project:
   'AuthenticationContext' does not contain a definition for 'AcquireToken' and no accessible extension method 'AcquireToken' accepting a first argument of type 'AuthenticationContext' could be found (are you missing a using directive or an assembly reference?)'
   In short: Microsoft.IdentityServer.Aad.Sas.dll doesn't have this method, there is only AcquireTokenAsync method - maybe this is specific to ADFS 2019?

9. I can fix that by using async method:
   var taskResult = this.authContext.AcquireTokenAsync(this._resourceUri, this._clientAssertion); authenticationResult = taskResult.Result;

10. Solution is still not building correctly because lack of config files in Deployment, Multifactor and NotificationHub projects.
    In Deployment there must be CustomAction.config with specific content (I've spent some time to find it :) ):

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup useLegacyV2RuntimeActivationPolicy="true">
<supportedRuntime version="v4.0" />
<supportedRuntime version="v2.0.50727"/>
</startup>
</configuration>

In Multifactor and NotificationHub app.config files are probably not needed (I'm not sure what they can contain?) and can be excluded from solution.

11. Theres only one error now, lack of resgen.exe in project Console/SnapMMC.
    This file can be copied from .NET tools - for example: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools

12. Solution is now building successfully, but it won't work correctly after installation (wrong signatures of DLL)

13. Theres one last thing to change - hardcoded string PublicKeyToken=175aa5ee756d2aa2 needs to be replaced with our own public key token 79d...cca7 from step 6 (28 times in 8 files total). Again this looks improper - maybe these values can be loaded from app settings/resource?

14. Successfully builded application adfsmfa.msi is located in 'Neos.IdentityServer 3.1\Neos.IdentityServer.MultiFactor.WixSetup\bin...'

15. To debug installed application on ADFS node I need to attach to processes Microsoft.IdentityServer.Hosts.exe and Neos.IdentityServer.MultiFactor.NotificationHub.exe

Please confirm if this process is correct, and then I will put new pull request with my changes to review.
Thanks

[redhook62]

Hi, @apr-un

Good news,
Know anyway, that if the build of the solution is complex, it is purely voluntary, take it for parnoia if you wish, it does not bother me in any way.
However, in order to avoid finding a corrupted version on the internet ...
Because this already happened some time ago, this is also why we sign the generated msi file.

I will try to answer point by point.
Knowing all the same, that the version of VS used has no interest in view of the chosen target (ADFS 2012r2, 2016, 2019) only the minimum version of the Framework is required. On the other hand we have left the configuration files for the Nuget packages (do not try to use as little as possible, and especially for "additional" features)

1. Indeed, it is necessary that all the assemblies of the project are compiled and available so that wix can correctly generate an MSI. for information, it is the version of WIX 3.11 which is used, before the last updates

2. Yes, you absolutely must generate a new .pfx (I explained the why previously), and that will of course pose new concerns ... it is intended!
   You will need to compile all your projects with the same .pfx for simplicity. and then it will become your build. but know that I really appreciate your willingness to collaborate on this project, welcome!

3. yes, that's the way. if all nuget packages are present, evetihning shoul be OK. i build the projects with references to ADFS 2016 assemblies, except for special features of ADFS 2019.

4, / 5 / 6 Yes, Some internals must be trusted, to avoid abusive use of assemblies... And yes it's a public key !
Some types marked internal, will not be able to be used if the calling assembly is not signed with the correct .pfx.
look at ADFS assemblies, Microsoft uses this feature in their product, for the same reasons as me ...

7. yes ! However, we will never put these id's in configuration files. everything must be solved at compile time.
   The include files do not exist in C#, it is possible to add an additional source code file.

8 / 9) The MFA azure part is based on the ADAL library (Vittorio Bertocci), I think you just have to make sure that the right package is present.

10. no, These config files are of no use. Just aim for the right framework

11. Ok, great !

12/13) No, not from resources, they can be replaced. can be a placeholder somewhere in the source code

14/15) I just have to tell you, that you did the job.

I reflect on your proposals, in order to be able to carry out easier custom builds

Hey, Ground control to major Tom, You've really made the grade !

Changing the issue to discussion, this can help !

best regards

redhook

[apr-un]

Thank You for reply, I assume that my description of application building is mostly correct :)
I understand why solution should be signed, and that 'Friend access' is sometimes necessary - this is not a problem, I just think that the way of doing this should be more obvious.

The MFA azure part is based on the ADAL library (Vittorio Bertocci), I think you just have to make sure that the right package is present

I tried to find correct version, but project is referencing just global library Microsoft.IdentityServer.Aad.Sas.dll (not nuget package!) which is part of ADFS (I think - not too many sources write about it on net). I only found several mentions on web that AcquireToken method is deprecated in ADAL 3.x (loot of links, just FYI):

MicrosoftDocs/azure-docs#24458
https://community.dynamics.com/crm/b/gustafscrmblog/posts/authenticationresult-acquiretoken-deprecated-in-adal-3-x-and-how-to-fix
https://social.msdn.microsoft.com/Forums/vstudio/en-US/5a6534e3-a9eb-4565-b831-f78c7087d2e5/microsoftidentitymodelclientsactivedirectoryauthenticationcontex-does-not-contain-a-method?forum=WindowsAzureAD
https://azure.microsoft.com/en-us/blog/start-writing-applications-today-with-the-new-microsoft-authentication-sdks/

Current repo for ADAL mentions that it is being replaced by new MSAL library:
https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/

I put small pull request with some fixes and updated readme ( #178 ) , and will follow up soon with enchancements to biometric user experience

Regards
Arnold

[apr-un]

Hi @redhook62,
I put some enhancements to biometric UX in my fork here:
https://github.com/apr-un/adfsmfa/commits/biometric_ux_enhancements

Code was tested and is running on production system without problems (at least till now :D)

This code was prepared with some specific requirements on mind (OTP assumed as default option, biometric hidden for casual users but available for advanced users, biometric flow easier to understand) so I'm not doing pull request on this, but feel free to pick anything you like :)

What is done there:

1. Biometric device availability checks are always done first on client side,
   and if device is not available (or not configured) in system then button leading to bio check (finger, face etc) is effectively disabled and
   javascript translated alert (HtmlUIAlertBioNotAvailable) is displayed to user.

This allow us to 'hide' some weird responses from biometric device UI or browser (for example about lack of usb key).
We can't control device response, so at least we have place to inform users what they need to do and prevent them from going to place with no return ;)

2. Before biometric test (navigator.credentials.get) there is check if user already registered biometric device on this system (by cookie bioregisteredandvisited). If not then we skip bio test (because it probably won't work anway and just show us weird message) and force to try OTP method once (autotryotp cookie is set)

3. After successfull biometric test (or registration) there is cookie set/refreshed for 30 days (bioregisteredandvisited) to allow semi-reliable
   recognition that this system was used before to correctly register/access bio device and continue with bio tests.

4. Link to change login options is always visible on bio form, so user can select another method easily.

5. CredType 'tpm' is defined as 'Windows/Linux', so its more clear to casual user what type of method is shown there in options

6. (optional) Added global bioSkipDuringRegistration variable to skip/ignore biometric during user registration if its not required.
   This way registration process is faster and simpler, and biometric device can be normally added on options screen.
   It is set to true in code due to my lack of knowledge how to add new options in MFA config :(

Things to do:

• fix all 'magic numbers' to some meaningful constans (example: fnbtnclicked(6) )
• extract some js functions so there is less repetitions of same code, maybe move it to BasePresentation?

Javascript functions added:

CheckBiometricsDevice()

Asynchronous, check for bio device availability with PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() and sets two global variables:
bioCheckCompleted = initially false, then true when functions finishes (async)
bioCheckAvailable = initially false, then true when bio device is available and configured

CheckAutoTryOtp()

Auto select and submit OTP method on select method screen if autotryotp cookie is present, then clears that cookie

getCookie(cname)

Get value from cookie named cname

SkipBiometricDuringRegistration()

Allow to auto ignore&submit biometric device during user registration when biometric method is not required.

Javascript functions modified:
fnbtnclicked(...)

added new optional parameters (bio, req) to pass correct values from c# code
changed return values to true/false to prevent clicks

GetWebAuthNAssertionScript(AuthenticationContext usercontext)

Added logic to test biometric device availability and force OTP if not present

Regards
Arnold

[apr-un]

Hi @redhook62,
did You have a moment to see proposed changes to biometric in my branch?
Regards
Arnold

[redhook62]

Hi @apr-un

Sorry I didn't have time to look in detail.
However if you have a buil to forward to me ([email protected]) I would be happy to watch.
I will integrate in the July version, your more general fixes.
Then for September, I think a big update for the WebAuthN Core part, according to the evolutions of the fido2-net-lib project

regards

[redhook62]

Done !

[apr-un]

H @redhook62

In attachment is my version of 2107 build (with biometric changes).

But beware - it's build on my keys, so installing it on Your ADFS will invalidate some settings (MFA reregistration is required).
You mention that in July some of my general fixes will be integrated - which one?

adfsmfa_apr-un_3.1.2107.0.zip

[redhook62]

Great ! Thank you.
I will try it tomorrow

regards

[redhook62]

Hi @apr-un

First of all, I wanted to thank you for the efforts you have made (Translation and correction of bugs)

I did install your version today, but I have a lot of comments.

1. In your javascript, you put "Alerts":

• We do not want to see PopUp appear, there is none currently. it is preferable to recover or change the message, and display it after the post in the page.
• when in javascript you insert text (in an alert for example), watch out for the quotes...
  In many languages like french/English/German and others this will generate an 'Unexpeted Token' error, and will certainly render the rest of the process unusable. (also in polish...)

function fnbtnclicked(id) { var lnk = document.getElementById('selected'); var opt4 = document.querySelector('input[name="selectedradio"]:checked'); var opt4value = opt4 ? opt4.value : ''; lnk.value = id; if (bio == 'bio' && id == 0 && opt4value == 4 && !(bioCheckCompleted && bioCheckAvailable)) { alert('Dispositif biométrique NON DISPONIBLE ou NON CONFIGURÉ dans le système d'exploitation! Veuillez fermer cette fenêtre de navigateur, configurer d'abord l'appareil, puis réessayer ou utiliser une autre méthode!'); } ; return (bio == 'bio' && id == 0 && opt4value == 4 ? bioCheckCompleted && bioCheckAvailable : true); }

2. the detection of the biometric device is malfunctioning.

• Don't recognize a Yubikey
• Do not recognize a logitech camera (Windows Hello)
• Do not recognize a Kensigton dongle (TPM)
• Do not recognize FIDO/UDF with NFC or Usb
• Only correct login test -> android-Safetynet, but not for registration

The easiest way is to explain to me what you want to do, it can be interesting.

however, I think that in view of the evolution of the protocol, and also for security reasons, that it is better to let browsers or operating systems display what comes from CATP.
On the other hand, the component configuration options can invalidate certain types of devices, but above all allow to offer a suitable interface (Browse / System), for example, I have a camera, a dongle and a security key.

So I suggest you review this in September at a relaxed pace.
I you take vacations, enjoy it.

regards

@redhook62

And once again thank you for your investment.
If you wish, I can delete these comments, and leave only the operating mode to build your own solution.

[apr-un]

Hi @redhook62
thanks for review and very valuable comments - please don't delete them.

I'll fix the problem with alerts containing special chars soon - I replaced new line chars in resources,
but totally forgot about other kind of special characters in JS. My bad, sorry :(

Some responses to Your comments:

1. Alerts were used because I needed to disrupt flow of application from JS,
   and I didn't really know how to do it better - adapter interface is complicated :)
   If You can direct me to any example how to add new step with message into wizard I will gladly try it :)

2. Are You sure that function used in CheckBiometricsDevice()
   https://www.w3.org/TR/webauthn/#sctn-isUserVerifyingPlatformAuthenticatorAvailable is malfunctioning?
   It will give "false" response (device not available) also when device is available, but not configured in system by user.

3. "The easiest way is to explain to me what you want to do"
   We have large organization to support - several thousands non-IT users,
   and these users mostly react with "panic mode/call helpdesk now!" when they encounter something new/unexpected.
   We can't explain everything related to setting up biometrics in manual [and users don't read manuals anyway ;)],
   so in order to prevent flooding helpdesk with nonimportant issues about "What is security key? I don't have any :("
   we want to direct most users directly to OTP (easiest method), and allow more advanced users to use other methods they like (i.e. bio).
   But even those advanced users (over thousand) can cause "flooding" in helpdesk, so we want simplier UI,
   with our custom messages
   ("Hey user, You don't have biometric device installed here (system A), this won't work because Your biometric device is configured somewhere else (system B)")
   instead of little enigmatic messages from operating system or browser ("Insert security key")...
   I hope this helps :D

Regards
apr-un

[redhook62]

Hello,

For the worries of quotes, it was certainly sufficient to encode the translated strings "htmlencode".

Then as I indicated to you, it would not be possible to add alerts or swag in this project. especially no JS frameworks ...

It's a security extension, and your users should understand it ... there are not on Facebook or other ...
In France we speak of "Mrs Michu",
The concern in this case is not the component but certainly the way to deploy it.

The link you provide, yes, I know it.
But, it is clearly indicated, that the function "isUserVerifyingPlatformAuthenticatorAvailable ()" can be used during the creation of credentials (Create and not Get). moreover the operation also depends on the chosen WebAuthN configuration. Platform / Cross-Platform and others.

Like you, I have very, very large customers who use this extension. and tens of thousands of downloads
The head of public transport in Europe,
The largest world aeronautical manufacturer,
Many large European and Japanese industrialists,
The company manufacturing the best electric cars, which also provides solutions for space, rockets landing on the return ... a ceo considering going to Mars when the earth is unlivable. "Ground control to major Tom, you really make the grade..."

Know anyway, that appreciates your will to improve the process.

Firstly.
Assign the default provider on TOTP, your users will find their way there.
IT teams and other power users will find a way to use biometrics.
Unless you have disabled these features, the user should be able to manage their options and choose the MFA mode they find most suitable.

Then,
I offer to you to present your implementation as an example of custom UI. this feature is available since spring.

Later,
We can integrate it into a build and get people to evaluate it.

Before,
If your want, send me, your source code concerning the AdapterPresentation (with ressources)
I will send you in return, an example of custom UI, correctly displaying the desired messages. it will still be necessary to support the 2019, 2016 and 2012r2 versions.

regards

redhook

[apr-un]

Hi @redhook62

I've started workind on custom adapter version of my biometric changes.
Could you suggest me how to set it up?

I've created new project (CustomAdapterPresentation) in Neos solution.
Then I've added reference to Neos.IdentityServer.MultiFactor.
Next I've created new class AdapterPresentation.CustomBiometric.cs (which for now is a copy of Neos.IdentityServer.MultiFactor.AdapterPresentation.2019.cs and inherits from BaseMFAPresentation).

Unfortunetly then I get many errors about lack of access to internal functions of Multifactor and Common projects, but I was able to fix them by adding to both project properties\assembly.cs:
[assembly: InternalsVisibleTo("CustomAdapterPresentation, PublicKey=...]
( I'm not sure if this is correct way - I think that my custom code should not modify original solution... :/ )

Now project will compile, but I've got two new problems:

1. how to add my CustomAdapterPresentation.dll to wixsetup (I'll probably can figure it myself, but i'm asking if there is "fast way" without spending hours on reading manuals :) )
2. how to set AdapterPresentationImplementation in MFA config? It doesn't have any setup options in powershell :(

Also I see that there is inconsistency between documentation and code - according to https://github.com/neos-sdi/adfsmfa/wiki/05-General-Settings this property should contain fully qualified CLASS name inherited from BasePresentation, whereas code looks for fully qualified ASSEMBLY name and then inside that assembly looks for type which inherit from BaseMFAPresentation ?

Regards
apr-un

[redhook62]

hi @apr-un

I admit that I did not test this configuration with another signature, it was partly indicated during the implementation of the release ...

For the configuration, yes, the documentation was wrong, it has just been modified, the methods of BaseMFAPresentation can be overloaded or replaced.

For visibility, on your own build you can do whatever you want, then two possibilities:

1. I integrate your predictions directly into the project (siganture included), but you remain the author and the one who provides support. so here it is a code swap. I suggested it to you in the past.
2. I'm looking at how to make your job easier. but be aware that protected classes are related to code security considerations. for the presentation it is necessary to keep a relatively restricted access. so what types are you worried about? I could possibly release these accesses.

For Wix, either we do the build and there is no problem.
Otherwise, you must add the corresponding entries in the "samples" part with specific guides. take inspiration from these entries, and think about the localization part.

@redhook62

[apr-un]

Hi @redhook62

thanks for answers, one more thing.
In second question I asked about "how to set AdapterPresentationImplementation property in MFA config?"
For example I cannot write in powershell:
Set-MFAConfig -AdapterPresentationImpleentation "Custom, ..., PublicKey=...."

Is there another command to set this property? Could You guide me there?

PS: I know that I first need to change UIKind to 'Custom' with Set-MFAThemeMode, but this doesn't change anything for AdapterPresentationImplementation

PS2: I forget to list not accessible objects - these methods/properties are internal and require adding InternalsVisibleTo in projects Common and Multifactor (list from error log, multiple times):

'RuntimeAuthProvider' is inaccessible due to its protection level

'RuntimeRepository' is inaccessible due to its protection level

'AuthenticationProvider.HasAccessToOptions(IExternalProvider)' is inaccessible due to its protection level

'images' is inaccessible due to its protection level

'AuthenticationProvider.HasStrictAccessToOptions(IExternalProvider)' is inaccessible due to its protection level

'AuthenticationProvider.KeepMySelectedOptionOn()' is inaccessible due to its protection level

'KeysManager.NewKey(string)' is inaccessible due to its protection level

Regards
apr-un

[redhook62]

Hi @apr-un

To change some properties on MFAConfig or others :

$c = Get-MFAConfig
$c.AdapterPresentationImplementation = "Your fully named class BaseMFAPresentation"
$c.UIKind = Custom
Set-MFAConfig = $c

Set-MFAThemeMode -UIKind Custom -Theme MyThemeIfAny

For the accessibility of class, i think that we are going to put a public wrapper class.

regards
redhook

[redhook62]

Hi @apr-un

I will ship tomorrow a new version 3.1.2109.1
This version includes evolutions for building a Custom Presentation component.

The component version is included in the installation as well as in the examples.
I will send you in PR on your Git, the development database with the certificate to sign the assembly.
If you can send me one of your versions by tomorrow, then I could include it in the build.

regards
redhook

[apr-un]

Hi @redhook62

Thanks for version 2109.1, it really helped :)

I've made my custom adapters inherit from BaseMFAPresentation and added new parameterless constructor like in PresentationSample - all was working fine.

Now I'm working on moving all my changes into my project in MFA solution, and I have trouble with two things:

1. I can't use any intermediate class which inherit from BaseMFAPresentation as common ancestor for my custom adapters due to way types are compared in file Neos.IdentityServer.MultiFactor.BasePresentation.cs in #region Custom AdapterPresentation in function:
   private static BasePresentation LoadCustomAdapterPresentation(AuthenticationProvider provider, IAuthenticationContext context)

2. I can't load my custom resources from my project (inherited from ResourcesLocale) in correct culture :(
   I'm trying to load them in my class constructors, but in current version provider and context is set only after constructor already exited, so in parameterless constructor I've defaulted to english culture - which works, but shows my resources always in english ;)

I've prepared dotnetfiddle which I hope can show what is going on. Od course it is really simplified, so please forgive me if something is not exactly like in MFA project :)

https://dotnetfiddle.net/VEMoll

SAMPLE shows normal way (direct inheritance like in yours Presentationame project)
CUSTOM1 shows what is failing (indirect inheritance, instance is not created)
CUSTOM2 shows my corrections (indirect inheritance, instance is created - first without provider/context (current default), then with correct provider and context)

I think that reversing order of checking in function IsAssignableFrom will help in first case, so this:
_typetoload.BaseType.IsAssignableFrom(typeof(BasePresentation)) || _typetoload.BaseType.IsAssignableFrom(typeof(BaseMFAPresentation))
should be changed to:
typeof(BasePresentation).IsAssignableFrom(_typetoload) || typeof(BaseMFAPresentation).IsAssignableFrom(_typetoload)

and using another form of Activator.CreateInstance will help with second case, so this:
BasePresentation pres = (BasePresentation)Activator.CreateInstance(_typetoload, true);
should be changed to:
BasePresentation pres = (BasePresentation)Activator.CreateInstance(_typetoload, provider, context);

Regards
apr-un

[redhook62]

Hi, @apr-un

Take a look at the latest build (3.1.2110.0/1

Provider and Resources are well assigned the the instance created.
For the context witch is specific to a user, no need to pass it. context is passed at each Presentation calls.

regards

[apr-un]

Hi @redhook62

thanks from reply, I'll try to merge new version with my code.
But from what I checked in github version 2110.1 is still using Activator.CreateInstance without parameters, so it won't resolve my case.

Let me repeat my main problem:
During loading custom adapter scenario

• https://github.com/neos-sdi/adfsmfa/blob/master/Neos.IdentityServer%203.1/Neos.IdentityServer.MultiFactor/Neos.IdentityServer.MultiFactor.BasePresentation.cs line 60 - standard resources are assigned AFTER custom adapter constructor is already executed (line 61), so I can't create my resources similar way like in original code (in constructors, based on context.LCID) - because in my custom constructor context is null (due to parameterless constructor).
  Of course I can try to get correct culture from i.e Thread.CurrentThread.CurrentUICulture, but I think it is better to use the same culture as in base project.

Alternative question: where should I place code to load my resources (if not in the constructors)?

Regards
apr-un

[redhook62]

Hi, @apr-un

What types of resources are you talking about?

the embedded resources are loaded automatically by the .Net Framework, if you have correctly compiled the satellite assemblies.

For the resources and the context, these parameters are passed after the constructor.
Where is your problem ?

Another point, the javascript, if it is not generated by the presentation but with external script, it must be registered in the WebConfig of adfs so that the execution of the code is trusted.

regards

[apr-un]

Huh, sometimes I think I write too much information at once ;) I wanted to show you something without quoting direct code...

Earlier in our communication You said that I should prepare localization (translations) for my custom adapter and move all my changes to custom project.
I've done that and put these translations in embedded resources in my project (Resources\Custom.resx) - so these translations are resoures I'm talking about :)

In Neos solution translation resources (I called them "standard") are based on class ResourcesLocale which is loaded in BaseMFAPresentation constructor. I know this from debugging session.
UIKind switch in AdapterPresentation methods create different adapter for each setting (Default/Default2019/Custom) depending on parameters used (provider, context ale always required, rest like message, suite ,... are optional):

 public AdapterPresentation(AuthenticationProvider provider, IAuthenticationContext context)
        {
...
switch (provider.Config.UiKind)
            {
                case ADFSUserInterfaceKind.Default2019:
                    _adapter = new AdapterPresentation2019(provider, context) // this provider and context is present in base constructors
                    {
                        UseUIPaginated = provider.Config.UseUIPaginated
                    };
                    break;
....
// AdapterPresentation2019 ----> 
   public AdapterPresentation2019(AuthenticationProvider provider, IAuthenticationContext context, string message)
            : base(provider, context, message)
        {
// context is there by param context, and code go to base constructor, which is ...
        }

// base is BaseMFAPresentation ------------->
        public BaseMFAPresentation(AuthenticationProvider provider, IAuthenticationContext context, string message): base(provider, context, message)
        {
            this.Resources = new ResourcesLocale(Context.Lcid); // all fine there, context comes there by param context, and it has some Lcid set
        }
....

So I created my translations in similar way (inherit from ResourcesLocale, init them in my custom constructor ). This causes another problems because of private methods (translation were searched in Neos..Multifactor assembly instead of mine assembly), but eventually I managed to solve this and add them correctly to Wix setup. I know they're installed correctly during installation like rest of assemblies and are correctly read (at least for english language).

But in the same switch for UIKind, when it is set to custom code is not setting provider and context for base constructors, but set them afterwards:

switch (provider.Config.UiKind)
            {
              ...
                case ADFSUserInterfaceKind.Custom:
                    _adapter = LoadCustomAdapterPresentation(provider, context); // <----- these params are NOT used in Activator.CreateInstance, so I can't load correct translation in my custom constructor
                    _adapter.Resources = new ResourcesLocale(context.Lcid); // <--- "standard" resources loaded with correct context.LCID
                    _adapter.Context = new AuthenticationContext(context) / <- context for adapter is set there, instead of inside constructor
                    {
                        UIMessage = string.Empty
                    };

Current method for loading custom adapter:

 private static BasePresentation LoadCustomAdapterPresentation(AuthenticationProvider provider, IAuthenticationContext context)
        {
          ...
           if (_typetoload.IsClass && !_typetoload.IsAbstract && (_typetoload.BaseType.IsAssignableFrom(typeof(BasePresentation)) || _typetoload.BaseType.IsAssignableFrom(typeof(BaseMFAPresentation)))) // I belive there should be reversed check - typeof(BasePresentation).IsAssignableFrom(_typetoload) because you're casting to BasePresentation from type which should inherit from it directly or indirectly
            {
                BasePresentation pres = (BasePresentation)Activator.CreateInstance(_typetoload, true); // Allow Calling internal Constructors ?? context and provider is NOT set to correct values inside base constructors, because this method call BasePresentation() constructor
                pres.Provider = provider; // provider is set there, which works because nothing inside is using it
                return pres;
            }
            else
                return null;
        }

So in summary I'm saying that with current method of activating custom adapter I'm basically trying to "read the book (context) before it is written" and to solve error with context.Lcid (null reference) my constructor looks like this:

 public AdapterPresentationCustomBiometric2019() : base() // <---------------- this one is called when using current creation method (BasePresentation)Activator.CreateInstance(_typetoload, true);
        {
            if (Context != null)
            {
                this.CustomResources = new CustomResourceManager(Context.Lcid);
            }
            else
            {
                var englishCulture = new CultureInfo("en");
                this.CustomResources = new CustomResourceManager(englishCulture.LCID);
            }
        }

        public AdapterPresentationCustomBiometric2019(AuthenticationProvider provider, IAuthenticationContext context) // <------- this one WILL be called IF provider and context are set in proper way, not AFTER constructor
            : base(provider, context)
        {
            this.CustomResources = new CustomResourceManager(Context.Lcid);
        }

Did you saw my code on dotnetfiddle?
DotNetFiddle is online compiler/runner for simple code - please take look at this code and run it,
You should see source problem and solution from my perspective:

https://dotnetfiddle.net/VEMoll

Code contains three similar "regions" of code, which each load and execute some class (like in MFA project with custom adapter).
First region - SAMPLE - works ok, like Your sample from 2109.1 (but it works only because there are no custom translations and is directly inherited from BaseMFAPreentation)
Second region - CUSTOM1- shows my problem(s) - can't load my class, because IsAssignedFrom is checked incorectly (I think...)
Third region - CUSTOM2 - show solution for both my problems (my class which is indirectly inherited from BaseMFAPresentation is correctly loaded and it can correctly set language for translations loaded in my custom constructor using alternate activator overload)

I hope this is better understandable
Regards
apr-un

[redhook62]

Hi, @apr-un

Ok, it's a little clearer now.

However, if we make the modification for the call of a constructor, it must be done for all the constructors.

Next, for resources I'll have a look, but changing that in the constructor of the external component doesn't appeal to me.
To be seen for a generic type of ResourceLocale type or other.

regards

[apr-un]

Yep, all calls to LoadCustomAdapterPresentation from AdapterPresentation constructors should be modified and of course definition of this functionalso should be modified so it can accept the same parameters like its "parent constructor method".

I think it will be easier to just prepare 5 overloads for LoadCustomAdapterPresentation and call them from corresponding constructors:

LoadCustomAdapterPresentation(provider, context)
LoadCustomAdapterPresentation(provider, context, message)
LoadCustomAdapterPresentation(provider, context, message, ismessage)
LoadCustomAdapterPresentation(provider, context, suite)
LoadCustomAdapterPresentation(provider, context, message, suite, disableoptions)

than prepare one definition of this function with all params and conditionally call Activator.CreateInstance with different values :)

Could You explain what do You mean by:
"for resources I'll have a look, but changing that in the constructor of the external component doesn't appeal to me.
To be seen for a generic type of ResourceLocale type or other."

I'm calling Your's base constructors in mine and Yours resource are loaded normally, then my resources are added (eventually overwriting some translations if I need that).
But here I just added one translation, and call CustomResources.GetString("HtmlUIAlertBioNotAvailable") from my code in place where it is used. So there's nothing to worry about :)

Regards
apr-un

[redhook62]

@apr-un

Happy New Year to you and your family.

After reading your post,

First, you can limit the browsers that can use biometrics since version 3.1.2112.0.
I don't intend to work on the different versions of the browser (45.2 or 96.0...), it's been a mess for 30 years, already with communicator and IE in the .90's.
The easiest way for your users and already to update their browsers. :)

On what you propose, there are interesting ideas.

• improve biometric device detection.
• More explicit message to users when not using biometrics (Browser or no device).
• Use a cookie to keep the status with respect to biometrics.
• Apply this on login, registration and choose another option.

which we will not implement.

• Redirect the user to TOTP (TOPT can be disabled or optional via PowserShell, in the console it is not possible and it is done on purpose.
  the user will therefore be directed to choose a different option.
• If biometrics is mandatory, the user will be rejected upon registration.
• If biometrics is optional the user can currently choose to override and not register a device. we will see if it is possible to bypass this operation.

We will implement these changes during the month of February or March.

regards

[apr-un]

@redhook62 thanks for response :)

Just to be sure if I understand correctly - which options will be implemented in february/march ?
At start I was thinking that custom message will be implemented,
but after second read I think that redirect for mandatory bio to choose other option will be implemented

Regards
apr-un

[redhook62]

Hi @apr-un

What we will implement by March or later...

• Improved detection of biometrics (see more my remarks)
• More explicit message for the user
• A cookie to store this information (user/browser/OS).
• Apply to this on the login, registration and choice of options phase.

What we won't do.

• automatic redirect to TOTP

PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() can only detect build-in authenticators (Windows Hello, FaceID, TouchID or Android Device), so for example, as your screen shots show, FireFox (which only supports external usb devices such as Yubico key) will invariably return false on this call.
see Browser compatibility
For confidentiality reasons WebAuthN does not allow the interrogation of the device in detail before the creation of a new assertion. So I don't think it's possible to suppress the browser messages asking to insert a key.

Many things can also occur due to the configuration of WebAuthN: Authenticator Attachment, Attestation Conveyance Preference, etc...

regards

[redhook62]

Hi @apr-un

I confirm one thing
PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() can only detect build-in authenticators (Windows Hello, FaceID, TouchID or Android Device).

So, with your example code, Yubico keys are systematically excluded.
This is not viable, because on any server (Windows, Linux) there is no Windows Hello active.

So with Firefox your users will always get the message asking them to insert their Key... and they will always have to cancel to continue.
The question is what should happen next... knowing that there are multiple possible settings in the WebAuthN configuration.

We will remove this test and make sure window.PublicKeyCredential is not undefined so that it can continue to work in all cases. with "Platform" devices and "Cross-Platform" devices (USB, NFC, Bluetooth)
How do you see things then? what scenario do you propose?

regards

[apr-un]

Hi @redhook62
thanks for response - it's good to hear that custom message is going to be implemented :)

This detection works normally on firefox (I tested it with version>90) without any special configuration - I tried on my home browser and on computer within domain and on windows server (all without bio device) - and in every case it returned false.
Another person tried this on home laptop with biometric configured properly and get true:

PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
  .then(function(available){
    if(available){
      // We can proceed with the creation of a PublicKeyCredential with this authenticator
         console.log("avail = true");
    } else {
      // Use another kind of authenticator or a classical login/password workflow
         console.log("avail = false");
    }
  }).catch(function(err){
    // Something went wrong
    console.error(err);
  });

On docs page for Yubico keys there is mention to USE this function to detect platform authenticators, so I think this function should detect
Yubico keys: https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/Platform_vs_Cross-Platform.html

If we agree that by default we won't allow biometric until it is confirmed (by detection OR by user consent) that it works then we don't lose anything, but get better user experience :)
For example:
During registration user checks 'add my bio device', click continue and get custom message (because PublicKeyCredential is not implemented or isUserVerifyingPlatformAuthenticatorAvailable is not present or returns false) like "We're sorry but we cannot detect biometric support on You system/browser, are You sure it is configured in system and device is operating properly? If you really want to continue press Yes, otherwise pressing no would return You to choosing other metod"
Choose [Yes] or [No].
If user choose Yes then hopefully he knows what is he doing and gets message from device: "insert Key".
If user choose No then it should be redirected to form with choose another method...

Regards
@apr-un

[redhook62]

@apr-un

No, I myself have several Ybico keys, on a server that does not have Windows Hello, or on a Linux, with this javascript code it does not work whether for Firefox (I have version 96.0.3) or for Edge Chromium, or Chrome).
I can tell you that the tests are done with multiple configurations on WebAuthN.

The name of the method clearly indicates its "Platform" scope, the Yubikco keys are "Cross-Platform".

So for me it is not acceptable.
Please educate your users to respond to the Browser message... (it's not MFA that does this..),

Then, if you want to move forward, let me know your vision, taking my remarks into account.
Otherwise, build your own solution.

regards

[apr-un]

@redhook62 Thanks for reply.
I think that You somehow misunderstand me, I have to rethink what I wrote and do some more tests.
Regards
@apr-un

[apr-un]

I did test done on Ubuntu 20.04.3 LTS with Firefox 96.0 and function works there (it exists and returns false).

I think that You assume that "false" value means it is not working, but I explained before that its ok (js just can't detect authenticators).
If in this situation there will be shown form with custom message and two buttons to press - user can override check and continue or get back to choose.
This way customizers (like me) can get what they need in simpler way, without changing scripts or writing entire adapters :)
and end users get nicer flow.

I hope that clarify my point o view, I also add that page with script if You want to check it yourself on linux or other system.
test.zip

Regards
apr-un

[redhook62]

Hi,@apr-un

Before answering you the other day, I obviously tested the JS code of your page, the one recommended by different sites.

In the last release, I removed this test, because it works under Windows 10/11 with Windows Hello if it is configured.
You can even validate the biometrics with the Windows Hello PIN code, in this case the test will always answer True considering that there is a Built-in authenticator.

On machines that do not have Windows Hello, or any Framework (Windows Server by default), the result is negative with all Browsers... in this case there is no built-in Authenticator. however without this JS code or ignoring the result, connecting with a Yubikey works (cross platform).

It is therefore a question of testing with this JS code only the Built-in authenticators.

Under Windows Server ou a Virtual Machine

Brave

FireFox

Edge

Chrome

I would add Chrome on Android with a Yubikey in USB or NFC, the result is also negative.

So, why put this code, if it's to ignore it ?
The fact of knowing if there is a Built-In authenticator therefore has no interest.

And here we come to the bottom of the matter, with the MDS the solution supports more than a hundred devices (for example SafeNet, or HID Smart Card or NFC solutions).
I don't want to add extra steps, I think it's up to the editors of Operating Systems, Browsers to do the work.
For me, the interactions offered by default such as "Insert your security key" are very clear, as is the cancel button which is present. I agree that the error messages are abstruse and only in English.
Indicate that my device is not supported (Yubikey anyway...) to say "I'm going on" clearly weighs down the login process, which is intended to be the simplest and fastest. For me, it's not fun, not nicer.

What I could do:

• Add localized error message
• Add a cookie to deactivate biometrics after acceptance by the user (duration ?).
• Make sure, it is already the case, that the user does not remain blocked, if he cannot use biometrics (only if biometrics is optional)

You can make your own interface (Custom Presentation), I have made many modifications to allow you to do this.
moreover, you can override all BasePresentation or BaseMFAPresentation methods such as GetFormHtmlWebAuthNSupport.

Understand my position. this extension of MFA is a security extension, often in companies imposed by the Head of Security (RSSI), users must comply with the security constraints imposed. I can assure you that in a lot of companies it is not as simple as ADFSMFA offers.

Last point, we make this product, in addition to our regular work and do not want to generate a mass of support requests or issues for people who do not have the same vision as you. (like me...)

I think the best solution is for you to develop your own UI.
In addition to the points that I told you we would realize, we can make adjustments for you if it does not cause additional problems

regards

redhook

[apr-un]

Hi @redhook62
Thanks for tests and explanations - now I understand clearly that our visions are different and that is ok :)
I'm looking forward for things You could prepare in main MFA solution (localized errors etc).

In mean time I did what You suggested. I have one project (one dll) as custom presentation adapter which is not a part of main MFA solution (has another signature) but has references to MFA dlls (not version specific). This wasn't possible when we started talking year ago, so big thank You :)

I tried to configure MFA in powershell to use this new project for presentation, but somehow its still using my old version (I did restarts, no errors in logs):

$c = Get-MFAConfig
#$c.AdapterPresentationImplementation = "Neos.IdentityServer.MultiFactor.AdapterPresentationCustomBiometric2019, CustomAdapterPresentation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=c9c528..." # my OLD version installed as part of MFA solution, has te same pfx as MFA solution
$c.AdapterPresentationImplementation = "CustomAdapterPresentation.AdapterPresentationCustomBiometric2019, CustomAdapterPresentation, Version=1.0.0.0, Culture=neutral, PublicKeyToken=81d9fb..." #my INDEPENDENT version, has different pfx 
Set-MFAConfig $c

Should it work? Or the keys needs to be the same?

In summary - what I want to achieve:

1. always install Your's newest MFA version
2. install my custom presentation (which I will be supporting to be in sync with newest MFA solution, but it should work with every MFA version unless there will be breaking changes in CustomAdapter implementation, but thats my problem )
3. enjoy having more free time ;)

Regards
apr-un

[redhook62]

Hi @apr-un

Great News !

No, the signing keys can be different.

You can post your solution (sources) in pull-requests.
For upgrades, there are 2 possibilities:

• we recompile and modify accordingly, but will be signed with our key or your key if you send it to us, all integrated into the msi. in any case, you will remain the author and the person who will maintain it.

• You post your build, and we will integrate it in the msi as an example from you, and for any problem the issues are managed by you.
  Developments can take place, but there can be very few side effects with an older Custom Presentation.
  We will adjust if necessary.

regards

[apr-un]

Hi @redhook62

I was testing versions 2203.0(my signature) and 2204.0(neos) with my custom adapter and I found two problems ;)

1. First problem (I already fixed that, but please read till end) is coming from change in version 2202.1 (from 2022-02-07 commit 8d4ca5c) when OTPWizardOptions were renamed to not negated names:

    public enum OTPWizardOptions
    {
        All = 0x0,
        MicrosoftAuthenticator = 0x1, // previous it was NoMicrosoftAuthenticator 
        GoogleAuthenticator = 0x2, // previous it was NoGoogleAuthenticator  etc 
        AuthyAuthenticator = 0x4,
        GoogleSearch = 0x8,
        CustomAuthenticator = 0x10
    }

Old versions of these names were written in ADFS configuration database (!).

After restart, new MFA server configuration files (system.db, config.db) were not created due to weird error in logs (Object reference not set to an instance of an object).

After debugging on my version of MFA files it looks like this 'null reference' is realy caused by deserialization error in XML file ( new OTPWizardOptions doesn't have valid value for NoMicrosoftAuthenticator ).

I fixed that by manually renaming these options to correct values in exported configuration file (xml) and importing it back using ADFS commands (Export-AdfsAuthenticationProviderConfigurationData / Import-AdfsAuthenticationProviderConfigurationData ),
because MFA cmdlets were not working (due to lack of configuration files :) )

So in conclusion:
please update instalation notes for 2202.1 and newer versions that it is required to export/manual update of configuration xml/import, or completly unregister MFA and register it back.

2. Second problem arose during test with NeOS version 2204.0.
   I uninstalled my version 2203.0 (unregistered MFA frst), then installed NeOS version 2204.0 with full registration for MFA.
   Installation was success, config files were created, cmdlets works.

In event log I saw errors:
Error decrypting value for Pass Phrase Encryption : The parameter is incorrect.
Error decrypting value for ADDS Super Account Password : The parameter is incorrect.
Error decrypting value for Mail Provider Account Password : The parameter is incorrect.
Error decrypting value for Default Users Pin : The parameter is incorrect.
Error decrypting value for Administration Pin : The parameter is incorrect.

I think these errors were caused by combination of:

• change of signature from my pfx to neos pfx (different decrypt?)
• lack of these values in old configuration (AdministrationPin was not present etc) or they were not encoded (for example in old config DefaultPin=1234", but in new config DefaultPin="loooong value, looks like encoded password"

I did reset these parameters to default values or in case of ADFA password to correct value, errors are gone.

But still, during login I have another 'Null reference' error - this time from
public IAdapterPresentation BeginAuthentication(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext context) in file: Neos.IdentityServer.MultiFactor.Provider.cs

This function has try/catch block which hides real error:

catch (Exception ex)
            {
                Log. WriteEntry(string.Format(Resources.GetString(ResourcesLocaleKind.UIErrors, "ErrorAuthenticating"), ex.Message), EventLogEntryType.Error, 802);
                throw new ExternalAuthenticationException(ex.Message, context);
            }

In event viewer in application log I see:
"Error on authentication process !
Object reference not set to an instance of an object."

In ADFS log i see:
"
Exception details:
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationException: Object reference not set to an instance of an object.
at Neos.IdentityServer.MultiFactor.AuthenticationProvider.BeginAuthentication(Claim identityClaim, HttpListenerRequest request, IAuthenticationContext context)
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
"

These information are not helping :)

Is it possible to change ex.Message in Log.WriteEntry to ex.ToString so all info will be logged (maybe in other places too)?
It shouldn't be too much security issue, because event log require to have access to server first, but this will greatly help me debug what
is going on ADFS.

Of course I can reinstall my version of MFA with my signatures back (I already upgraded it to 2204.0) and debug it, but this will not help me with core problem (using my custom adapter + Neos MFA)

Regards
apr-un

PS: sorry for wall of text again ;)
TL;DR:
Problem 1:
change of values which are saved in ADFS db (enums) requires full unregister/register MFA or manual changes in configuration. Uninstall old version/install new version won't help and application won't run correctly.

Problem 2:
Too many configuration errors are hidden with misleading messages (like Object reference not set to an instance of an object), please Log full exceptions in event log. It is needed to supporting custom adapters

[apr-un]

In meantime I did test with my version of MFA upgraded to 2204.0:

• unregister-mfasystem
• uninstall neos 2204.0
• install my 2204.0
• register-mfasystem
• Import-MFASystemConfiguration (from yesterday backup)
• there were errors from point 1 ( Error decrypting value for Pass Phrase Encryption : The parameter is incorrect. etc)
• fixed that with default values using Set-MFASecurity
• restarted adfs and mfa services

...and there is no error, everything works normally :(
So I can't even track this "Object reference not set to an instance of an object" :/

Regards
apr-un

[redhook62]

Hi, @apr-un

In each new version, where there are new features.
The new properties have a default value, and if certain others are modified or deleted they are ignored (by writing messages in the logs).

The good practice during an update indicating substantial modifications is to export the configuration (Export-MFASystemConfiguration) in order to be able to reinstall the previous version.

Then, to update the configuration and eliminate the messages, delete the obsolete entries, and persist the default values ​​of the new functions. you just have to Save the configuration, either with the MMC (Save) or with any Powershell command like Set-MFAConfig.

Concerning the values ​​that are encrypted in the configuration (Passwords, Pins), if the value is in clear, it will be encrypted, the new properties have a default value in clear. saving the configuration will correctly store these values ​​and eliminate the messages in the log.

So, of course, as long as the configuration has not been saved, there are risks of unexpected behavior.

Do not forget that I tested all this on 4 ADFS versions in multiple configurations (WID, SQL) (Using ADDS or SQL) (NLB or Not), if I publish it, it is that I did not detect any blocking problem.
I've updated several of my clients recently, sometimes with older or dated versions and of course I haven't had any problems.

So I will add these recommendations to the releases, namely 1) export the current configuration 2) make a Save once the update is complete.

regards

redhook

[apr-un]

Thanks for response.

I agree with all that You write, and I'm always doing backup of configuration.

But the first problem was that configuration cannot be saved using any MFA option (cmdlets, MMC - they won't work without configuration), because it cannot be correctly read from ADFS db (deserialization of previous enums caused error).
I had to use plain adfs scripts to export/correct old values manually /import it again to unblock MFA.

Thing is that I won't know how to repair it without having access to debugging - logs written in event log won't help in problem analysis because there is only ex.Message written ("Object reference not set....")

I'm sure that You tested MFA on different servers and versions, but none of them have been using MFA solution with another signature - I'm almost sure that problem is caused by using custom MFA with my signature, then uninstalling it and installing and reregistering original Neos solution.

Now my 2nd case (logs show nothing which can be used to solve problem) - can You help to make these errors understandable when read from logs ?

Regards
apr-un

[redhook62]

Hi,

What to tell you? these are the logs that I retrieve, and cannot invent them.
You also have the method in which the errors occurs.

As mentioned, if the configuration is not correct, there can be unwanted behaviors as well as errors.
For the signature of the assemblies, this is not a problem. in the sample project, example of custom Presentation is signed with another key (snk), it is not adfs which loads this extension.

Of course, you can use the ADFS cmdlets to export and import the configuration, when this configuration is not compatible with the version used.

I will consider your suggestions for future versions.

regards

[apr-un]

@redhook62
Maybe You don't understand me correctly, so let me explain again in shorter form :)
In current situation my custom adapter is not even created (breakpoint in constructor wasn't hit), and I can't debug original Neos solution (because I don't have pdb files for this solution)

This is function from You code:

adfsmfa/Neos.IdentityServer 3.1/Neos.IdentityServer.MultiFactor/Neos.IdentityServer.MultiFactor.Provider.cs

Line 152 in c430fbd

Log. WriteEntry(string.Format(Resources.GetString(ResourcesLocaleKind.UIErrors, "ErrorAuthenticating"), ex.Message), EventLogEntryType.Error, 802);

This function is in catch block but it show very little info about real error (don't show where / what is null):

catch (Exception ex)
            {
                Log. WriteEntry(string.Format(Resources.GetString(ResourcesLocaleKind.UIErrors, "ErrorAuthenticating"), ex.Message), EventLogEntryType.Error, 802);  // <<<< here change ex.Message to ex.ToString() and all info about error will be in event log
                throw new ExternalAuthenticationException(ex.Message, context); // this should not be changed, because it is shown to user
            }

Can You change ex.Message to ex.ToString in line marked with <<<< ?
So I can look into logs and see what is real problem?

Edit:
Reworded few words...

Alternatively - can You send me Neos.IdentityServer.MultiFactor.pdb file from build 2204.0 so I can attach it to debugger?
It should be located in
adfsmfa\Neos.IdentityServer 3.1\Neos.IdentityServer.MultiFactor\bin\Debug\
or
adfsmfa\Neos.IdentityServer 3.1\Neos.IdentityServer.MultiFactor\bin\Release\

Regards
apr-un

[redhook62]

Hi,

Attached is a build with the changes you requested (ex.Message -> ex.ToString())
The PDBs also concern this build, and I have put the relevant c# file for you

regards

please delete this file after
(removed)

[apr-un]

Many thanks!

I will check it tomorrow.

Regards
apr-un

[apr-un]

Hi @redhook62
Good news - I found and repair problem with "nullreference" :)
It was caused by bad reference in my custom adapter project, but to prevent future errors I would propose to add some additional safeguards to Your solution.

Thanks to pdb and cs file you prepared I successfully debuged original MFA 2204.0 and found that "Object reference not set to an instance of an object" happened in AdapterPresentation constructor, in switch which chooses adapter type (default, 2019, custom - we have "Custom" selected):

case ADFSUserInterfaceKind.Custom:
                    _adapter = LoadCustomAdapterPresentation(in provider, context.Lcid); /// <<< error happens here
                    _adapter.UseUIPaginated = provider.Config.UseUIPaginated;
                    break;

Function LoadCustomAdapterPresentation defaults to return null if it doesn't found correct type or can't load assembly (so _adapter = null). And then in next line is _adapter.UseUIPaginated = provider.Config.UseUIPaginated; which tries to assign value to property of not exiting object (and caused exception).

I think that this block of code has potential for many errors in future ;) because its not as easy as it sounds to correctly write custom adapter - it should have its own try/catch, for example:

case ADFSUserInterfaceKind.Custom:
              try {
                    _adapter = LoadCustomAdapterPresentation(in provider, context.Lcid);
                    _adapter.UseUIPaginated = provider.Config.UseUIPaginated;
              }
              catch (Exception ex)
              {
                         Log. WriteEntry("Error during loading custom adapter presentation: " + ex.ToString(), EventLogEntryType.Error, 802);
                         throw new Exception("Error during loading custom adapter presentation: " + ex.Message);
              }
              break;

This way error should correctly point future users at source of problem.

Regards
apr-un

PS: in my case source of problem was reference in CustomAdapterPresetation project to my version of MFA (strongly typed in file *.csproj with my public key, don't know why because I didn't specify version).
This caused function GetCustomAdapterPresentationType(in AuthenticationProvider provider) to return null, because it searched for dependency on my MFA which were deinstalled.

Complicated right? :)

I "repaired" it by cleaning solution, deleting references, adding new references to original dlls from Your version 2204.0 and building my solution again (this time csproj file didn't have strong name inside)

Correct references in csproj should look like:

 <ItemGroup>
    <Reference Include="Microsoft.IdentityServer">
      <HintPath>Lib\Microsoft.IdentityServer.dll</HintPath>
    </Reference>
    <Reference Include="Microsoft.IdentityServer.Web">
      <HintPath>Lib\Microsoft.IdentityServer.Web.dll</HintPath>
    </Reference>
    <Reference Include="Neos.IdentityServer.MultiFactor">
      <HintPath>NeosLib\Neos.IdentityServer.MultiFactor.dll</HintPath>
    </Reference>
...
    <Reference Include="Neos.IdentityServer.MultiFactor.Security">
      <HintPath>NeosLib\Neos.IdentityServer.MultiFactor.Security.dll</HintPath>
    </Reference>

[redhook62]

Great !
Ok, I will shield the loading of additional components with try/catch and log messages.

regards

[apr-un]

Hi @redhook62
I have found one more problem - in version 2204.1 You added try/catch and logs for loading custom adapter (thanks :) )
but according to what I see in log eventID in WriteEntry must be between 0 and 65535

catch (Exception ex)
{
   Log.WriteEntry("Error during loading custom adapter presentation: " + ex.ToString(), EventLogEntryType.Error, 80002);
   throw new Exception("Error during loading custom adapter presentation: " + ex.Message);
}

-EventId
Specifies the event identifier. This parameter is required. The maximum value for the EventId parameter is 65535.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/write-eventlog?view=powershell-5.1

Can You fix this, please?

Regards
@apr-un

[redhook62]

Ho, yes

for next release

[apr-un]

Many thanks!
When do you plan to release next version?

Regards
@apr-un

[redhook62]

3.1.2205.0 at start of May

[apr-un]

One more thing - we're currently preparing to go to production with last version (2204.1) so we do some more tests ;)

In 2204.0 You added new messages - translations for BIOUIMessage2 (sendrequest) and BIOUIMessage3 (registration) in file
https://github.com/neos-sdi/adfsmfa/blob/master/Neos.IdentityServer%203.1/Neos.IdentityServer.MultiFactor.WebAuthN.Provider/Resources/CSHtml.resx

I think that BIOUIMessage2 currently has wrong value for button name after 'click':

 <data name="BIOUIMessage2" xml:space="preserve">
    <value>To login with your biometric device, click "Connection"</value>
  </data>

because there is no Connection value in any resx file:
https://github.com/search?q=Connection+repo%3Aneos-sdi%2Fadfsmfa+extension%3Aresx&type=Code

Correct value for this button is in file:
https://github.com/neos-sdi/adfsmfa/blob/master/Neos.IdentityServer%203.1/Neos.IdentityServer.MultiFactor/Resources/SHtml.resx

 <data name="HtmlUIMConnexion" xml:space="preserve">
    <value>Sign In</value>
  </data>

so values for all languages for BIOUIMessage2 should be corrected to translation of:
To login with your biometric device, click "Sign in"

for PL lang: Aby zalogować się za pomocą swojego urządzenia biometrycznego, kliknij "Zaloguj się"

Please add this to next version

Regards
@apr-un

[redhook62]

3.1.2205.0

[jredondo18]

Hola@redhook62

Preparé algunas mejoras al proceso biométrico (del lado del cliente, principalmente para mejorar el flujo y la experiencia del usuario) y quiero compartirlas. Tuve varios problemas con la creación/compilación de aplicaciones a partir del código fuente, pero finalmente logré hacerlo con éxito en ADFS2019 en la versión v3.12105.0. Primero tuve que hacer varios ajustes al código fuente y no estoy muy seguro de si lo estaba haciendo correctamente, así que intentaré describir mi proceso. Por favor, corrígeme dónde debería hacerse de manera diferente :)

1. Descargo el código de este repositorio de git y lo abro en VS (2019), y presiono Build; luego veo más de cien errores (principalmente debido a la falta de dlls compilados del proyecto wix o archivos pfx faltantes). Tengo que redirigir el proyecto 'NativeResources' a Windows SDK 10.0 (última versión) y PlatformVersion a v142 (vs2019).
2. Voy al proyecto DataTypes (porque no depende de otros proyectos) y lo firmo con un nuevo archivo protegido con contraseña con el nombre 'Neos.IdentityServer'. Este proyecto debería construirse correctamente ahora.
3. Voy a cada proyecto al que le falta un archivo pfx y selecciono el mismo archivo 'Neos.IdentityServer.pfx' del proyecto DataTypes. Ahora pocos otros proyectos deben construir.
4. La solución de construcción aún no es posible debido a varios errores que parecen:
   Friend access was granted by 'Neos.IdentityServer.MultiFactor.DataTypes, Version=3.0.0.0, Culture=neutral, PublicKeyToken=79dcaed57e22cca7', but the public key of the output assembly ('00240000048....009af5ac298231142f23f44c0') does not match that specified by the InternalsVisibleTo attribute in the granting assembly.
5. Para arreglar eso, uso el procedimiento de AssemblyInfo.cs para obtener la clave pública corregida y el token de clave pública para mi archivo de firma (pfx)
6. En la línea de comando del desarrollador de VS, voy a la carpeta con el archivo pfx (en el proyecto DataTypes) y ejecuto dos comandos:
   sn -p Neos.IdentityServer.pfx Neos.IdentityServer.publickey
   luego
   sn -tp Neos.IdentityServer.publickey

Esto debería mostrar la clave pública (en varias líneas) y el token. La clave pública debe copiarse en una sola línea (!): `Clave pública (algoritmo hash: sha1): 00240000048000009400000006020... 298231142f23f44c0

El token de clave pública es 79d...cca7`

Ahora puedo usar esta clave pública generada (línea larga) y reemplazarla con TODAS las claves públicas en líneas con 'InternalsVisibleTo' en todos los archivos AssemblyInfo.cs (debe tener 19 líneas y 5 archivos)

7. Los errores de 'Acceso de amigos...' ya no están, pero este reemplazo me parece incorrecto :( ¿
   Quizás estos valores se pueden cargar desde la configuración de la aplicación o algún recurso?
8. La solución aún no se puede construir en este punto, porque recibo un error en el proyecto SAS.Azure:
   'AuthenticationContext' no contiene una definición para 'AcquireToken' y no hay un método de extensión accesible 'AcquireToken' que acepte un primer argumento de tipo 'AuthenticationContext' podría ser encontrado (¿falta una directiva de uso o una referencia de ensamblado?)'
   En resumen: Microsoft.IdentityServer.Aad.Sas.dll no tiene este método, solo hay un método AcquireTokenAsync, ¿quizás esto sea específico de ADFS 2019?
9. Puedo arreglar eso usando el método asíncrono:
   var taskResult = this.authContext.AcquireTokenAsync(this._resourceUri, this._clientAssertion); authenticationResult = taskResult.Result;
10. La solución aún no se está compilando correctamente debido a la falta de archivos de configuración en los proyectos de Implementación, Multifactor y NotificationHub.
    En Deployment debe haber CustomAction.config con contenido específico (he pasado algún tiempo para encontrarlo :)):

En Multifactor y NotificationHub, los archivos app.config probablemente no sean necesarios (¿no estoy seguro de qué pueden contener?) y se pueden excluir de la solución.

11. Ahora solo hay un error, falta resgen.exe en el proyecto Console/SnapMMC.
    Este archivo se puede copiar desde las herramientas .NET, por ejemplo: C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools
12. La solución ahora se está construyendo correctamente, pero no funcionará correctamente después de la instalación (firmas incorrectas de DLL)
13. Hay una última cosa que cambiar: la cadena codificada PublicKeyToken=175aa5ee756d2aa2debe reemplazarse con nuestro propio token de clave pública 79d...cca7del paso 6 (28 veces en 8 archivos en total). Nuevamente, esto parece incorrecto: ¿tal vez estos valores se pueden cargar desde la configuración/recurso de la aplicación?
14. La aplicación adfsmfa.msi creada correctamente se encuentra en 'Neos.IdentityServer 3.1\Neos.IdentityServer.MultiFactor.WixSetup\bin...'
15. Para depurar la aplicación instalada en el nodo ADFS, necesito adjuntar a los procesos Microsoft.IdentityServer.Hosts.exe y Neos.IdentityServer.MultiFactor.NotificationHub.exe

Confirme si este proceso es correcto y luego colocaré una nueva solicitud de extracción con mis cambios para revisar. Gracias

Hi @apr-un!

Sorry for reactivating this issue,

I would like to collaborate in this project, but I have problems compiling the solution. I've been several days behind this error and I need help!

I have followed the steps of @redhook62 and the ones you indicate in this issue.

But when compiling, I get the following error:

Severity Code Description Project File Line Suppression State Error Invalid Resx file. Could not load file or assembly 'System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=9fc386302857db0f' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040) Line 290, position 5. Neos.IdentityServer.Console C:\Users\juredondo\Source\Repos\adfsmfa\Neos.IdentityServer 3.1\Neos.IdentityServer.Console\Controls\Neos.IdentityServer.Console.UserKeysControl.resx 290

Do you know what it can be?

Thank you very much in advance,

Regards

[redhook62]

Hi @jredondo18

I remind you that the .Net 4.7.2 framework is a prerequisite.

On the other hand, the System.Windows.Forms.dll assembly is part of FW 4.7.2 and its signature is as follows :

• version: 4.0.0.0 public token: b77a5c561934e089
  on your side
• version: 4.0.0.0 public token: 9fc386302857db0f

Please check your references

regards