Authentication context not added / Context validation failed errors authenticating with RSA Authentication MFA Agent for AD FS
a year ago
Originally Published: 2025-04-29
Article Number
000058156
Applies To

RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Agent for AD FS
RSA Version/Condition:  2.0.x, 3.0.3.86 

Issue
This article explains how to resolve the following error with the RSA Authentication Agent 2.0.x for AD FS when using the agent for two factor authentication.
  • Configuring multifactor authentication (MFA) on a Windows Server with RSA Authentication Agent 2.0.x for AD FS with RSA SecurID for secondary authentication has no issues and user authentication is successful.
  • While configuring MFA on a Windows Server with RSA Authentication Agent 2.0.x for AD FS with RSA SecurID for primary authentication, breaks authentication. 
  • The user is not prompted to enter the passcode and is presented with the following error:
Cannot authenticate. Contact your administrator.
User-added image
  • The RSA Authentication Activity Monitor shows no authentication from that agent.
  • The log snippet below (by default in C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\logs/rsa_adfs.log) has the following errors:
2020-05-11 11:51:03,808 [52] INFO AuthnAdapter - Claim Type =
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
2020-05-11 11:51:03,808 [52] INFO AuthnAdapter - BeginAuthentication: Username obtained from AD FS: vcloud\jdoe
2020-05-11 11:51:03,808 [52] INFO AuthnAdapter - BeginAuthentication:
Initial state: ActivityId = 89257732-629e-4bd2-8c00-0080010000cf, ContextID = 42e89c9c-2561-40f2-9507-d3fedb6a5c10,
User = jdoe, lcid = 1033
2020-05-11 11:51:03,808 [52] DEBUG AuthnContextValidator - Searching authentication context...
2020-05-11 11:51:03,808 [52] DEBUG AuthnContextValidator - Continuing search...
2020-05-11 11:51:03,808 [52] DEBUG AuthnContextValidator - Searching authentication context...
2020-05-11 11:51:03,808 [52] DEBUG AuthnContextValidator - Adding default authentication context
2020-05-11 11:51:03,808 [52] DEBUG AuthSessionAdapter - BeginAuthentication(): Authentication context not added.
2020-05-11 11:51:03,808 [52] INFO AuthSessionAdapter - BeginAuthentication(): Initial state: ActivityId =
89257732-629e-4bd2-8c00-0080010000cf, ContextId = 42e89c9c-2561-40f2-9507-d3fedb6a5c10, authState = NotAuthenticated
Resolution
To resolve this issue,
  1. Ensure that the RSA SecurID Authentication Agent 2.0.2 for AD FS and RSA SecurID Authentication Agent 2.0.2 GPO are installed.
  2. Review the RSA Authentication Agent 2.0.2 for Microsoft AD FS Group Policy Object Template Guide.
  3. From Local Authentication Settings, set Validate the AD FS authentication context to Disabled.
User-added image
  1. Following the steps on page 28 of the RSA Authentication Agent 2.0.2 for Microsoft® AD FS Administrator's Guide, unregister the agent then re-register it.
  2. Restart AD FS services.
  3. Users are now be prompted to enter their RSA passcode. Authentication should work as expected. 
Notes

Agents can be unregistered and registered using the MFAAuthProviderConfigSettings.ps1 scripts that are included with the agent.

 

Initial problem with lack of logs or 0 byte logs was a permission issue. Customer states that the "SVCADFS" service account did not have access to write to the "ADFS MFA Adapter" folder. Customer granted these permissions and then logs were being written.

  • MFA Agent for ADFS v. 3.0.3.86 logs show:

    2025-04-10 10:22:56,365 [23] ERROR AuthSessionAdapter - TryEndAuthentication: ActivityId = 70a405e1-0bc8-452a-aef5-8b58573d4083, ContextID = 749efb01-7c11-4103-bab5-f21967037b86 lcid = 1033 User = Test_SecurID01, Initial AuthState = CALL_INITIALIZE: Context validation failed. Ending AuthState = INIT_FAILED

Related Articles

Trending Articles

Don't see what you're looking for?