Resolving the error MFA-041 in the ADSelfService Plus login agent

Resolving the error MFA-041 in the ADSelfService Plus login agent

Issue description   

When a user tries to log in to a Windows machine protected by ADSelfService Plus MFA, users may encounter an error message with code MFA-041. This error indicates a communication failure between the login agent on the user's computer and the ADSelfService Plus server, preventing them from completing the MFA challenge and accessing their machine.

Possible causes   

This error points to a configuration mismatch between the login agent on the client machine and the ADSelfService Plus server. The two most common causes are:
  • Time mismatch: The system time on the client machine is out of sync with the ADSelfService Plus server time.
  • Invalid installation key: The installation key acts as a shared secret that the agent and server use to trust each other. If you regenerate this key in the ADSelfService Plus portal, any agents using the old key can no longer connect. This error typically happens when a newly installed agent has not communicated with the server before the key was changed, making its stored key obsolete.

Prerequisites   

  • Administrator access to both the affected Windows client machine(s) and the ADSelfService Plus admin portal.
  • You must have access to the latest ADSelfService Plus Client Software.msi downloaded from your ADSelfService Plus server.

Resolution   

Step 1: Check and correct time synchronization  
The simplest and most common cause is a time drift between the client and server.
  1. Check the system time, including the date and time zone on an affected user's machine.
  2. Check the system time on the ADSelfService Plus server.
  3. Ensure both machines are synchronized to the same reliable time source like a domain controller or an external NTP server or manually set their clocks to match exactly.
  4. Ask the user to try logging in again. If the error persists, proceed to the next step.
 
Step 2: Update the login agent with the new installation key  
If time sync did not work, the login agent's installation key is likely invalid. You must update the agent on the client machine so it has the current key from the server. You can either reinstall the agent from the ADSelfService Plus portal or manually on the user's machine.

Method 1: Reinstall the agent from the ADSelfService Plus portal (Recommended)
  1. Log in to the ADSelfService Plus admin portal.
  2. Navigate to Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Installation.
  3. Go to the Installed Machines tab.
  4. Find and select the checkbox next to the affected machine(s) in the list.
  5. Click the Reinstall button to push the latest version of the agent.
 
Method 2: Manually reinstall the login agent
Use this method if the portal installation fails or if you have direct access to the machine.
  1. On the client machine, open Command Prompt as an administrator.
  2. Uninstall the existing agent by running the following command:
            msiexec /x {E451B224-C4E6-452E-BB61-2EFD4DC79A9C} /qb
  1. Download the latest client version from the Manual Installation steps page under the Login Agent Installation Methods section in the GINA/Mac/Linux (Ctrl+Alt+Del) tab.
  2. During installation, enter the current Installation Key, Protocol Name, Port Number, and Server Name when prompted. You can copy the Installation Key from the admin portal on the Manual Installation steps page in Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del).
After the agent is updated using either method, the MFA-041 error should be resolved, and the MFA login flow should work normally.

How to reach support             

If the issue persists, contact our support team here


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products