Initial MFA page shows with delay

[behrouzamiri]

Question
On each first MFA page (like redirecting to profile roll-up, or the first MFA provider page for an already enrolled user) a ~21 second delay is observed. What might it be related to?

Config: 2xADFS servers within same subnet, AD with ~40K objects, SQL as DB in always on availability mode, PDC is located in another site. checked Network connectivity but couldn't find anything weird, however can investigate more if you provide what other things (i.e. CA server, etc) is involved and might be checked.

I'll be more than happy to provide more details in case you need.

Get-MFAConfig

AdminContact                      : [email protected]
Issuer                            : Company
DefaultCountryCode                : en
DefaultProviderMethod             : Choose
LimitEnrollmentToDefaultProvider  : False
UserFeatures                      : AllowChangePassword, AllowManageOptions, AllowProvideInformations,
                                    AllowEnrollment, AdministrativeMode
CustomUpdatePassword              : True
KeepMySelectedOptionOn            : True
ChangeNotificationsOn             : True
AllowPasswordsReset               : False
UseOfUserLanguages                : True
AllowPauseForDays                 : 0
AdvertisingDays                   : {FirstDay : 1; LastDay : 31; OnFire : True}
UiKind                            : Default
UseUIPaginated                    : False
PrimaryAuhenticationOptions       : None
AdapterPresentationImplementation :
ForcedLanguage                    :

[redhook62]

Hi @behrouzamiri

If this problem occurs for every user and every new login. I invite you to look at the “Anti-Replay” side. Have you opened the firewall rules between your 2 ADFS servers tcp port 5987 as indicated in the documentation [Firewall Rules] ??(https://github.com/neos-sdi/adfsmfa/wiki/01-Installation#configure-windows-firewall-rules)

Test-NetConnection -ComputerName fqdn.adfsserver.1 -Port 5987
Test-NetConnection -ComputerName fqdn.adfsserver.2 -Port 5987

Another point, your ADFS servers must be located near a domain controller in your LAN.
Your topology is bad and exotic !

regards

[behrouzamiri]

Since both ADFS servers are within the same subnet, there's no network limitation between the two.
no firewall rules are in place between the two, as well.

Also, I checked while($true){netstat -ano | select-string -match "syn"} to see if there's a connectivity issue, but during the delay, I couldn't observe a thing.

Topology is reasonable, it's just network segmentation, no big deal.
Do you recommend to debug the code to see where the delay is happening?
Do you believe that type of encryption or key-size, or anything DB related might be the cause?

Also, I've updated to the latest build, and there was no difference.

[behrouzamiri]

I have tested by disabling Anti-Replay feature, and it did not work.
Ports are open as I specified the ADFS Servers are within the same LAN.
I'm observing almost a fixed amount of delay time, like 16 seconds.
this is most likely something is being time-out or alike.
can you point me to things that could be related?

[PsySuck]

@behrouzamiri try to add domain.com record to your host file. Record should contain ip of nearest domain controller. May be it will help.

[redhook62]

Yes, there is a 15 second timeout.
ADFS should be able to call the MFA Service locally without issue.
On the other hand, for anti replay the ADFS servers are always requested with a timeout of 15 seconds.
ADFS security applies.
I think your firewalls are blocking calls