Server Error in ‘/MultiFactorAuth’ Application

By | 2nd August 2018

We recently switch over the Azure MFA Server (on-prem) solution and during our test we did not experience any problems. However when we started to onboard our users (approx. 5.000) we received a few calls from users, less than 10, who were unable to sign in to the User Portal.

Assuming you didn’t specify any custom error messages the default error message the user receives is:
Server Error in ‘MultiFactorAuth’ Application


Image01 – click image to enlarge

Unable to figure out why this was happening I changed the web.config in the MultiFactorAuth directory to display more details on the error.
Change or add the line: <customErrors..> in the web.config file to read: <customErrors mode =”Off”/>

With this setting changed the user now sees a more comprehensive error message, like the one below.


Image02 – click image to enlarge

Basically the message is saying the password field contains HTML markup or script. The user password is also displayed in the error message, in this example we used: P@ssword<ie as the password. The character “<” in itself is not the issue but a combination of the “<” followed by “i” in this case is the issue.

There are a couple of solutions you can think of. We decided in to manually onboard these users because our users will only be accessing the user portal when changing phone registration.

Asking the user community to not use a specific character which you can’t force using native active directory was not our preferred solution. Aside from that you want your users to use complex passwords.
You might choose a different solution but that depends on your environment.

Just be aware that if your users receive the above error message (Image01) that this might be caused by specific characters in their password.




I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.