How to upgrade VIP AD FS Two-factor authentication plugin
search cancel

How to upgrade VIP AD FS Two-factor authentication plugin


Article ID: 176600


Updated On:


VIP Service


This article contains instructions for upgrading the AD FS plugin module. Please refer to the integration guide for specific requirements.


An error can occur if the old hierarchy is used, causing AD FS authentication failures due to the certificate mismatch. 


Important considerations before upgrading: 

  • Users will not have access to AD FS services during this upgrade. To avoid downtime, route authentication traffic through a temporary AD FS server during the upgrade. After the upgrade is complete, route authentication traffic back through the upgraded AD FS servers and remove the temporary AD FS server.
  • All AD FS servers within a farm must use the same version of the VIP integration module. If a plugin version mismatch between members is detected, VIP multi-factor authentication will not function. 


  1. Create a backup of the ADFS Installation folder (C:\Program Files\Symantec\ADFS3 or C:\Program Files\Symantec\ADFS).
  2. Create a backup of the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\ADFS3.0
  3. Download the latest AD FS plug-in from VIP Manager. (VIP Manager>Account>Download Files>Third Party Integrations>Plugins> The plugin version is indicated in the version.txt file.
  4. Uninstall the AD FS Plug-in per the instructions in the Upgrading the VIP Integration Module.
  5. Install and configure the AD FS Plug-in. Configure with the same VIP User ID from step 4. If the ADFS plug-in is installed and configured in a multi-server deployment (i.e., AD FS server farm), the secondary AD FS server will show the Windows Account Name as the VIP User ID by default. However, The VIP User ID attribute on the secondary server(s) cannot be modified. The VIP User ID configured on the primary ADFS server will be used.
  6. If using the VIP JavaScript with AD FS, restore the original file by replacing the <plugin install dir>\JScripts\IAScript.js with the backup taken in step 1. 
  7. Verify the version 9.9 DLL datestamps are 5 Nov 2019:

    Note: This initial ADFS 9.9 plugin will appear in the Windows programs list as version 9.8. This is expected for this release. Please use the DLL file datestamps to verify.
  8. To verify ADFS MFA is using the VIP 9.9 plugin is installed and functioning:
    • ​​Check the VIP plugin logs on each ADFS server (i.e., \Program Files\Symantec\ADFS). VIP Authentication request IDs will contain the prefix  ADFS_9_9. For example: 12/11/2019 2:09:46 PM : User TESTUSER authentication successful, Request ID: ADFS_9_9_0_192_168_1_60_12345
    • Test the connection to the VIP cloud: Launch the VIP Integration console. Click the Test Settings button, enter a valid user name and security code, then click OK. A successful response indicates a trusted connection was established to the Authentication URL

If your organization cannot immediately install the latest AD FS plug-in, certificate pinning can be temporarily disabled. The following steps are recommended as a temporary workaround only until such time the VIP plugin can be upgraded to version 9.9.

To temporarily disable certificate pinning:

(Please backup the Windows Registry before proceeding:

  1. On a Windows machine, click on the Start button and then click Run.
  2. In the search box or Run window, type regedit, then press Enter.
  3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\ADFS3.0
  4. Set the CertPinEnabled flag to zero 0. This will disable certificate pinning.
  5. Restart the AD FS service. 
  6. Exit the registry.