The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Multi-Factor Authentication!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Troubleshooting Azure MFA extension for NPS issue RRS feed

  • Question

  • I'm having some trouble getting the Azure MFA extension for NPS working and could do with some pointers on what else I can try to troubleshoot or see more of what is going on.

    I followed this setup guide - https://docs.microsoft.com/en-gb/azure/active-directory/authentication/howto-mfa-nps-extension-rdg.  So now have a server with RDGateway and NPS on it, and have also installed the NPS role on one of our domain controllers and added the Azure MFA extension there.

    If I uninstall the Azure MFA extension, I can successfully login to RDS via this RDGateway, which I think confirms that the forwarding of RADIUS requests between the NPS servers is working, RDGW/RDSH is working, RD CAP/RAPs are OK.

    However once I install the Azure MFA extension and configure it, I can no longer login to RDS, it just stays at "Initating remote connection" before timing out after a minute or two.  So far I have done the following to troubleshoot -

    1. VERBOSE_LOG is set to true in the Registry of the Domain Controller running NPS
    2. As above, I tried removing the Azure MFA extension, RDS then works fine
    3. Disabling MFA on my test user account does not let me connect
    4. Nothing appears in the IAS log (C:\Windows\System32\LogFiles) for these failed attempts.  However entries do appear there is I remove the MFA extension
    5. If I set up my Network Policy such that it rejects the connection I'll see an entry in the IAS log and will also see an entry from the MFA extension in the AuthZOptCh log saying "Request received for User ******\****** with response state AccessReject, ignoring request."
    6. Each time I try to connect to RDS (and it times out) I see very little in the event log other than an entry in the NPAS log "A LDAP connection with domain controller ****.****.**** for domain **** is established." and two entries in the AuthZAdminCh like "NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended.This is not an error." and "NPS Extension for Azure MFA: IP_WHITE_LIST_WARNING::IP Whitelist is being ignored as source IP is missing in RADIUS request in NasIpAddress attribute.".  This at least seems to imply the MFA extension is alive
    7. I've confirmed there is only one certificate installed on the Domain Controller based NPS and via PowerShell to Azure it is properly associated with the app/service
    8. I have run a packet capture on our firewall and cannot see any obvious outbound connections from the Domain Controller to the Internet (to Azure for instance)

    To me it seems like the Azure extension is alive and well, but just not attempting to conenct to Azure to perform MFA attempts.  The lack of meaningful logs seems strange, but this may be just an unusual failure mode that MS have no created logging for yet.

    Any thoughts on others ways I can try and see what the Azure MFA extension is up to and try to troubleshoot this would be greatly appreciated!

    Saturday, February 9, 2019 9:11 AM

Answers

  • Today I tried installing NPS and the Azure MFA extension on another server (not a Domain Controller this time), MFA is now working perfectly!

    I suspect there's something in our Domain Controller Group Policy settings causing the issue here as we saw the same problem on two DCs trying to use the Azure MFA extension.

    Could really do with some better logging from the extension to be able to troubleshoot things like this in future, makes me a little nervous putting it into production knowing there are failure modes that are very difficult to troubleshoot/resolve.

    Sunday, February 10, 2019 10:54 AM

All replies

  • Today I tried installing NPS and the Azure MFA extension on another server (not a Domain Controller this time), MFA is now working perfectly!

    I suspect there's something in our Domain Controller Group Policy settings causing the issue here as we saw the same problem on two DCs trying to use the Azure MFA extension.

    Could really do with some better logging from the extension to be able to troubleshoot things like this in future, makes me a little nervous putting it into production knowing there are failure modes that are very difficult to troubleshoot/resolve.

    Sunday, February 10, 2019 10:54 AM
  • Hello Philip,

    Thanks for updating the thread with your findings. It would be really helpful if you can post your feedback here as this is monitored by the product team directly. 

    Tuesday, February 19, 2019 5:23 AM
    Moderator
  • Done!

    https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/36889285-improve-azure-mfa-nps-extension-logging

    Tuesday, February 19, 2019 7:50 AM