ExternalAuthenticationHandler.Process() exception: System.Net.WebException: The request failed with HTTP status 405: Method Not Allowed

It’s turning into a month of school-boy/layer-8 issues.  Evidently I need to slow down! 

Scenario

You are integrating Windows Server 2012 R2 Active Directory Federation Services (AD FS), a.k.a. AD FS 3.0, with an on-premises Azure Multi-Factor Authentication (MFA) Server.  The Azure MFA Server is a separate server to AD FS and you have successfully verified that the Azure MFA SDK web service is correctly installed and operational.

You have installed the Azure MFA AD FS agent on each of your federation Service (FS) servers and registered the secondary authentication provider.

Issue

When you invoke MFA authentication fails and the following error is logged in the AD FS tracing event log.

ExternalAuthenticationHandler.Process() exception: System.Net.WebException: The request failed with HTTP status 405: Method Not Allowed. at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) at pfadfs.pfwssdk.PfWsSdk.CanonicalizeUser(String username, String& canonicalUsername, Error& error) at pfadfs.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.IsAvailableForUser(Claim identityClaim, IAuthenticationContext authContext) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context) Identifier: WindowsAzureMultiFactorAuthentication, ContextId: b1f69385-e8d9-4fae-82c4-09234a5e5294

The Azure MFA adapter configuration file is as follows (for simplicity I’m using username and password, I imagine you’ll be using a certificate, but it’s unimportant for this particular issue):

 
<ConfigurationData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <UseWebServiceSdk>true</UseWebServiceSdk>
    <WebServiceSdkUrl>https://mfa.abstractsynapse.com/MultiFactorAuthWebServiceSdk</WebServiceSdkUrl>
    <WebServiceSdkUsername>EMEA\svc-amfa</WebServiceSdkUsername>
    <WebServiceSdkPassword>YourPasswordGoesHere</WebServiceSdkPassword>
    <WebServiceSdkCertificateThumbprint></WebServiceSdkCertificateThumbprint>
</ConfigurationData>

Resolution

Enter the Web Service SDK URL correctly!

You must remember to include pfwssdk.asmx in the WebServiceSdkUrl element, e.g.

 
<WebServiceSdkUrl>https://mfa.abstractsynapse.com/MultiFactorAuthWebServiceSdk/pfwssdk.asmx</WebServiceSdkUrl>

Important.

If you change the configuration you must unregister the adapter and register it again – bouncing the service won’t pick-up the configuration as it’s written into the AD FS configuration database during registration only.

More information

If you do bounce the service you will actually notice an issue with the configuration when the /pfwssdk.asmx is missing from the <WebServiceSdkUrl> endpoint.

Event ID: 105.

Source: AD FS.

Description: An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Identifier: WindowsAzureMultiFactorAuthentication

Context: Proxy TLS pipeline