Questions about MMC management outside ADFS and Override MFA method attribute #387
Closed
jaroslawkalinowski99-ctrl
started this conversation in
General
Replies: 1 comment
-
|
Our answers are included in your request. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
First of all, thank you for your work.
Thank you for your feedback.
I have a couple of questions regarding administration and configuration:
Is there any known way to run or access the MMC console for managing the plugin outside of ADFS itself?
No, as you've noticed, remote access is only allowed with PowerShell (which allows you to access all options, although there are some restrictions when accessing the plugin remotely).
I know that some administrative tasks can be performed remotely via PowerShell.
I’m aware that certain management tasks can be performed remotely using PowerShell. However, I’m specifically wondering whether it’s possible to access or invoke the same MMC console available on the ADFS server from outside, for example, by connecting to it remotely or exposing it in some way without the need to log directly onto the ADFS server.
We developed a plugin, and we absolutely did not want to replace or modify the security features of ADFS. Therefore, we do not provide any remote access method other than PowerShell via WinRM.
If we develop a version 4 in the future, it would be possible to consider a web service subject to ADFS rights and access. But only if Mr. Trump is no longer President of the USA...
Please note that in the current version, a web service is available for communication between ADFS servers (such as anti-replay) and between ADFS and the MFA service. The data streams are fully encrypted, with additional ACLs.
Regarding the AD storage mode. How exactly does the attribute used for the "Override MFA method" setting work?
After user registration, I can see that it stores values like:
{"Code":0,"External":0}
Yes, you have enabled two MFA methods, neither of which is selected by default. The MFA method offered to users will be the one defined globally. You must allow users to choose their preferred MFA method.
The value will be set to 1 to indicate the preference.
Could you please clarify:
What do these values represent?
How should this attribute be interpreted or used when managing or troubleshooting MFA settings?
Thanks in advance for your help!
Beta Was this translation helpful? Give feedback.
All reactions