"The process cannot access the file" when trying to run Register-MFASystem

[acckej]

Hey team,
I am trying to set up adfsmfa on the virtual machine with Windows Server 2019 with domain controller and ADFS service running.
And I keep getting this error while trying to run Register-MFASystem:

I assume this is a conflict with MFA Notification Hub service, but stopping it does not really help either:

And of course I run the PS command under Local\Domain admin account.

Any help would be appreciated!)

[redhook62]

Hi @acckej

First, ADFS should never be installed on a domain controller. as a machine exposed on the internet there must not be a directory exposed on the net, but in a protected perimeter.

So I will not provide assistance in this kind of configuration.

On your first screen, the locked file does not belong to the MFA component...

Probably your shaky configuration on a domain controller.
Moreover, this is simply the correct configuration of ADFS, you must authorize management for administrators in the ADFS admin console and any PS command must be opened in Admin mode.

On the other 2 screens, if you have stopped the MFA service, this is perfectly normal. Please leave it active.

regards

[acckej]

Hi @redhook62, thanks for the reply!

I've followed your advice and have reconfigured my setup from scratch, deployed domain controller and AD FS on two separate machines. Looks like AD controller and AD FS are deployed and operational, no errors in events log so far.
And I tried to deploy Neos MFA again, installed the *.msi, and ran Register-MFASystem command again. Unfortunately, the same error.

Looks like this ...AppData\Local\Temp... file is just a temporary one which is being created at some point in the process of registration.

For context, my MFA Notification Hub is running under separate account which is member of local admins and separate AD FS admins group which is member of Administrators, Cert Publishers, Domain Admins, Enterprise Admins groups. So, I assume the cause of the problem is not a lack of permissions.

May be you have any ideas or hints? Thanks!

[redhook62]

Hi

The MFA Notification Hub service MUST run under the "System" account.

This is stated in the Wiki !

If you want to use another account two things,

1. this is not supported,
2. it is up to you to give ALL necessary rights to the account you have chosen.

regards

[acckej]

Hi @redhook62, huge thanks for the quick reply.

This is just a test setup, so I am not really concerned about its security right now, just trying to get it working first.
I've changed MFA Notifications Hub account to the "System".

No luck, same error :(

After I've restarted the service the event log looks like following:

I assume the error "No authentication provider with name 'MultifactorAuthenticationProvider' is present in the policy store" is there because I haven't registered MFA system yet, which I am trying to do.

Regards.