Debugging and Troubleshooting your MFA adapter

Debugging your adapter

If you hit a problem with either the sample or your own adapter, you’ll probably wish to debug to see what’s going on.  You’ll need to attach your debugger to the AD FS process Microsoft.IdentityServer.ServiceHost.exe.  

If you are using Visual Studio 2012 you can do this locally or remotely.

Tips for remote debugging in Visual Studio 2012

  • Install the VS 2012 remote debugging components on the AD FS test machine
  • After installation, the first time you run “Remote Debugger” it will configure the remote debugging components on the test STS (including the correct firewall settings)
  • On the dev box:
    • Ensure the configured list of symbols file locations (Debug->Options and Settings->Debugging->Symbols) contains an entry that points to the location of your pdb file
    • Ensure the version of the dll and pdb match and match the source
    • Ensure you are running VS 2012 as elevated (run as administrator from Start page)
    • Start remote debugging by choosing menu option Debug...Attach to process... and select the AD FS service as shown below
    • Specify the remote machine and port in the Qualifier (you can get the port from the UI of the Remote Debugger itself)
    • Ensure Attach to: is set to Managed (v4.5, v4.0) code (this will require elevation)
    • Once attached, find your dll in the Modules window and ensure the symbols are loaded

Finally, initiate a login (for example, by opening the IDP initiated signon html page) and sign in as a valid Active Directory user.

 

Additional / Troubleshooting Information

Get PublicKeyToken value for sn signed assembly (cmd line)

C:\> sn.exe –T MFAAdapter.dll

Add assembly to GAC on AD FS server (cmd line)

C:\>.\gacutil.exe /if .\MFAAdapter.dll

View assembly in the GAC (cmd line)

C:\> .\gacutil.exe /l mfaadapter

Remove assembly from GAC (cmd line)

If you need to remove and replace the assembly with an updated version, use ‘gacutil /u …’ to remove assemblies from the GAC, and’ gacutil /if …’ to add the new one.  (You may need to increment the version (in Visual Studio prior to build) in order for the dll to be truly replaced)

First, use the following command to find the fully qualified strong name of the entry:

C:\>.\gacutil.exe /l mfaadapter

Then, use the following command to remove it from the GAC:

gacutil /u “<output from the above command>”

Example:

C:\>.\gacutil /u “mfaadapter, Version=1.0.0.0, Culture=neutral, PublicKeyToken=2ed0b0f386e8e3a4”

Unregister provider (PowerShell)

PS C:\> Unregister-AdfsAuthenticationProvider –Name “MyMFAAdapter”

  • Note that the value you pass for “Name” is the same value as “Name” you provided to the Register-AdfsAuthenticationProvider cmdlet.  It is also the “Name” property that is output from Get-AdfsAuthenticationProvider.
  • Note that before unregistering a provider, must remove the provider from the AdfsGlobalAuthenticationPolicy (either by clearing the checkboxes you checked in AD FS admin MMC snapin or by using PSH)
  • Note that the AD FS service must be restarted after this operation

Re-register provider with config data (PowerShell)

PS:\> Register-AdfsAuthenticationProvider –TypeName YourTypeName –Name “MyMFAAdapter2” –ConfigurationFilePath “C:\sources\configData.txt”

  • Note that the AD FS service must be restarted after this operation