[ADFS-Provider] Error: PrivacyIDEA is not initialized!

privacy · December 8, 2023, 11:57am

Hello together,

I’m facing an issue with the ADFS Provider Version 1.2.0.
After installing it on our ADFS Farm (2x Servers Windows 2016) and trying to authenticate via TOTP token, I get the Error "PrivacyIDEA is not initialized!”.

The ADFS EventLog just shows the same message.
The Debug Log looks like this:

[2023-12-07T14:45:15] BeginAuthentication: identityClaim: myDomain\myusername
[2023-12-07T14:45:15] UPN value: not used, Domain value: myDomain
[2023-12-07T14:45:15] No values for header “” found.
[2023-12-07T14:45:15] privacyIDEA not initialized!
[2023-12-07T14:45:38] TryEndAuthentication
[2023-12-07T14:45:38] Key ‘authSuccess’ could not be found in dict, returning default value ‘’.
[2023-12-07T14:45:38] PrivacyIDEA is not initialized!
[2023-12-07T14:45:38] OnError, ExternalAuthenticationException: PrivacyIDEA is not initialized!

So not really giving me clue what went wrong.

I can access the PrivacyIDEA Server wit Powershell and an Invoke-WebRequest
Status code 200 and HTML is in the Response.
With the local Server IE i can connect, but the Page stays blank.

On the PrivacyIDEA Server nothing is logged. So it seems like, that there is no connection at all between the Servers.

In front of the PrivacyIDEA Server we have an HAProxy Cluster.
I Configured the HAProxy as “Pass through” so there’s no termination of the Traffic. I did this because i assumed if i would terminate the SSL Traffic on HAProxy it would be considered as a Security Issue.

You Guys / Girls have any idee what’s wrong?

Thanks in advanced
Greetings

nilsbehlen · December 8, 2023, 3:16pm

Hi,
“privacyidea” in the log of the ADFS means the privacyidea object that is used by the ADFS provider - not your privacyidea server.
I wonder how you made it get to that error. Did you restart your ADFS server?
After the restart you should see
“OnAuthenticationPipelineLoad: Provider Version …”, that is where the initialization happens.

nilsbehlen · December 8, 2023, 3:17pm

to get to that point, there should be an error somewhere else. You can also check the event log

privacy · January 2, 2024, 9:16am

Hey @nilsbehlen,

first things first - Happy new Year.
Sorry for my late Response, Holiday Season ;).

Yes, I did restart both Servers in the Farm:

Install the Adapter on one ADFS Server → Restart the Server → install the Adapter on the second Server → Restart.

Configured the Authentication Method
Configured the Access Control Policy (MFA for specific group).

The Event log, not really, gives me more Information.

Event → ID = 9901, Source = privacyIDEAProvider, Info = PrivacyIDEA is not initialized!
Event → ID = 364, Source = AD FS

Information from the second Event:
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationException: PrivacyIDEA is not initialized!
bei privacyIDEAADFSProvider.Adapter.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& outgoingClaims)
bei Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandlerBase.TryEndAuthentication(IAuthenticationContext authContext, IProofData proofData, HttpListenerRequest request, Claim[]& adapterClaims)
bei Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
bei Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
bei Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

The Debug Log show the following three times:

[2023-12-07T06:51:25] OnAuthenticationPipelineLoad: Provider Version 1.2.0.0
[2023-12-07T06:51:25] Read config values:
[2023-12-07T06:51:25] use_upn =
[2023-12-07T06:51:25] url = https://pi.mydomain.com
[2023-12-07T06:51:25] disable_ssl =
[2023-12-07T06:51:25] tls_version = “”
[2023-12-07T06:51:25] enable_enrollment =
[2023-12-07T06:51:25] service_user =
[2023-12-07T06:51:25] service_pass =
[2023-12-07T06:51:25] service_realm =
[2023-12-07T06:51:25] realm =
[2023-12-07T06:51:25] trigger_challenges =
[2023-12-07T06:51:25] send_empty_pass =
[2023-12-07T06:51:25] otp_hint =
[2023-12-07T06:51:25] forward_headers = “”
[2023-12-07T06:51:25] preferred_token_type = “”
[2023-12-07T06:51:25] Given TLS version (“”) has wrong format! Using default version from system.

What’s odd, is that at least “use_upn” should have a value, because I checked the checkbox while installing.

We’re using, a Microsoft Group Managed Service Account (GMSA), for our ADFS Server.
Are there some Privileges to be set?

EDIT: Another thing i have to mention is, that we successfully connected our privacyIDEA Server, with a different ADFS Farm before (Lab Env.). Same Adapter Version, only difference between Prod and Lab is, that we only have one ADFS Server in our Lab enviroment.

Thanks in Advance
Greetings

nilsbehlen · January 8, 2024, 10:28am

Hi,
this is strange.

We’re using, a Microsoft Group Managed Service Account (GMSA), for our ADFS Server.
Are there some Privileges to be set?

No, it is already running so thats fine.
The problem is probably coming from that you stated in your edit. Does it work when you shut down one of the servers? Are they updated/same version as your lab?
I can not really image how this problem occurs, because it means our provider has lost its config data while running. While we could recover from that because the config is in the registry, it is not how that interface was intended by MS.

Our test setup is a single server 2019, so we might expand with another to check, but that will take time. However, we can not account for an outdated server 2016.

kwoxer · February 22, 2024, 9:34am

We had the same issue - the issue on Server 2016 is solved with installing .net 4.8.

Just take a look at the requirements:

The default Version on Server 2016 is Version 4.6.2: