locked
Azure Multi Factor Authentication - NPS Extension not working ESTS_TOKEN_ERROR RRS feed

  • Question

  • Hello,

    I've just completed setting up the NFS extension with my NPS server and everything was working perfectly right up to when I finished the mfa configuration. When I try to connect using VPN to me RRAS server (which is authenticating with the NPS) It will hang on Verifying sign in info, timeout and spit out this error in the event logs:

    NPS Extension for Azure MFA:  CID: d354663a-1897-4f60-a0f0-61d9c12b1ea9 :Exception in Authentication Ext for User XXXXXXXXX@XXXXXXXX.com :: ErrorCode:: CID :d354663a-1897-4f60-a0f0-61d9c12b1ea9 ESTS_TOKEN_ERROR Msg:: Verify the client certificate is properly enrolled in Azure against your tenant and the server can access URL in Registry STS_URL. Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retreiving token details from request handle: -895352821 AADSTS500014: Resource 'https://adnotifications.windowsazure.com/StrongAuthenticationService.svc/Connector' is disabled.
    Trace ID: 3cf1cafb-1c4d-4db1-bf0f-c2694f29bc00
    Correlation ID: e3dfe056-fbdd-4b4b-8852-2d55991e97be
    Timestamp: 2020-02-18 04:08:51Z Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed troubleshooting steps. Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed troubleshooting steps.

    The account I am testing with has MFA enabled (Mobile specifically) and has the MFA Registration policy on Azure AD Identity protection enforced. I have tried the following steps to try and fix this issue:

    • Reset the Certificate
    • Enabled the MFA application on Azure
    • Uninstalled/Reinstalled

    All of which did not resolve the issue. Any help is greatly appreciated. :)


    Tuesday, February 18, 2020 4:25 AM

Answers

  • Hello Mitchell_45124

    Thank you for your query. This could happen if there is some proxy or network device blocking the connection. so I would suggest you to check the port 80 and port 443 reachability for the URLs (adnotifications.windowsazure.com and login.microsoftonline.com . ) using the Powershell cmdlets below. 


    Test-NetConnection adnotifications.windowsazure.com -Port 443
    Test-NetConnection adnotifications.windowsazure.com -Port 80
    Test-NetConnection login.microsoftonline.com -Port 443
    Test-NetConnection login.microsoftonline.com -Port 80

    You should get Tcpsucceeded value as true . If you do not for all the above addresses , the ports could be blocked. 

    PS C:\windows\system32> Test-NetConnection login.microsoftonline.com -Port 443
    
    ComputerName     : login.microsoftonline.com
    RemoteAddress    : 20.190.128.13
    RemotePort       : 443
    InterfaceAlias   : NIC1
    SourceAddress    : 192.168.2.51
    TcpTestSucceeded : True
    

    Looking at your error it does not seem that it will be ports issue however sometimes we have seen this behaviordue to proxy/network devices hence I would suggest to check the above as well.  

    The second thing is to verify the service principal for the resource https://adnotifications.windowsazure.com/StrongAuthenticationService.svc/Connector is serviceprincipal name for Azure Multi-Factor Auth Connector . Please check the state of this SPN whether it is enabled in the tenant or not . I checked it in my test tenant and it was enabled. You can try to find the status of the same using the cmdlets below. The global appprincipalID for the Serviceprincipal "Azure Multi-Factor Auth Connector" is same in every tenant which is 1f5530b3-261a-47a9-b357-ded261e17918 . You would need to Connect to the Azure AD using Connect-MSOLservice cmdlet before you can run any of the following commands. 

    PS C:\windows\system32> Get-MsolServicePrincipal -AppPrincipalId 1f5530b3-261a-47a9-b357-ded261e17918
    
    
    ExtensionData         : System.Runtime.Serialization.ExtensionDataObject
    AccountEnabled        : True
    Addresses             : {}
    AppPrincipalId        : 1f5530b3-261a-47a9-b357-ded261e17918
    DisplayName           : Azure Multi-Factor Auth Connector
    ObjectId              : 3edb12d1-d6e5-49cb-8471-9db01a04aeb3
    ServicePrincipalNames : {1f5530b3-261a-47a9-b357-ded261e17918, https://adnotifications.windowsazure.com/StrongAuthenticationService.svc/Connector, https://adnotifications.windowsazure.us/StrongAuthenticationService.svc/Connector}
    TrustedForDelegation  : False
    


    The accountenabled value should be true for the above. In case it is not , please enable the same using the following cmdlet. 

    Set-MsolServicePrincipal -AppPrincipalId 1f5530b3-261a-47a9-b357-ded261e17918 -AccountEnabled $true

    This should solve your issue. In case this does not , please let us know the error and we will try to see how best we can help you further.

    If the information in this post helped you , please do mark it as answer so that it is helpful to other members of the community. 

    Thank you. 



     

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Tuesday, February 18, 2020 1:36 PM

All replies

  • Hello Mitchell_45124

    Thank you for your query. This could happen if there is some proxy or network device blocking the connection. so I would suggest you to check the port 80 and port 443 reachability for the URLs (adnotifications.windowsazure.com and login.microsoftonline.com . ) using the Powershell cmdlets below. 


    Test-NetConnection adnotifications.windowsazure.com -Port 443
    Test-NetConnection adnotifications.windowsazure.com -Port 80
    Test-NetConnection login.microsoftonline.com -Port 443
    Test-NetConnection login.microsoftonline.com -Port 80

    You should get Tcpsucceeded value as true . If you do not for all the above addresses , the ports could be blocked. 

    PS C:\windows\system32> Test-NetConnection login.microsoftonline.com -Port 443
    
    ComputerName     : login.microsoftonline.com
    RemoteAddress    : 20.190.128.13
    RemotePort       : 443
    InterfaceAlias   : NIC1
    SourceAddress    : 192.168.2.51
    TcpTestSucceeded : True
    

    Looking at your error it does not seem that it will be ports issue however sometimes we have seen this behaviordue to proxy/network devices hence I would suggest to check the above as well.  

    The second thing is to verify the service principal for the resource https://adnotifications.windowsazure.com/StrongAuthenticationService.svc/Connector is serviceprincipal name for Azure Multi-Factor Auth Connector . Please check the state of this SPN whether it is enabled in the tenant or not . I checked it in my test tenant and it was enabled. You can try to find the status of the same using the cmdlets below. The global appprincipalID for the Serviceprincipal "Azure Multi-Factor Auth Connector" is same in every tenant which is 1f5530b3-261a-47a9-b357-ded261e17918 . You would need to Connect to the Azure AD using Connect-MSOLservice cmdlet before you can run any of the following commands. 

    PS C:\windows\system32> Get-MsolServicePrincipal -AppPrincipalId 1f5530b3-261a-47a9-b357-ded261e17918
    
    
    ExtensionData         : System.Runtime.Serialization.ExtensionDataObject
    AccountEnabled        : True
    Addresses             : {}
    AppPrincipalId        : 1f5530b3-261a-47a9-b357-ded261e17918
    DisplayName           : Azure Multi-Factor Auth Connector
    ObjectId              : 3edb12d1-d6e5-49cb-8471-9db01a04aeb3
    ServicePrincipalNames : {1f5530b3-261a-47a9-b357-ded261e17918, https://adnotifications.windowsazure.com/StrongAuthenticationService.svc/Connector, https://adnotifications.windowsazure.us/StrongAuthenticationService.svc/Connector}
    TrustedForDelegation  : False
    


    The accountenabled value should be true for the above. In case it is not , please enable the same using the following cmdlet. 

    Set-MsolServicePrincipal -AppPrincipalId 1f5530b3-261a-47a9-b357-ded261e17918 -AccountEnabled $true

    This should solve your issue. In case this does not , please let us know the error and we will try to see how best we can help you further.

    If the information in this post helped you , please do mark it as answer so that it is helpful to other members of the community. 

    Thank you. 



     

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Tuesday, February 18, 2020 1:36 PM
  • All the tests you suggested came back positive but setting the service principal to enabled fixed the issue. Thanks for the help :).
    Tuesday, February 18, 2020 9:51 PM
  • You are welcome . Glad to be of service. Thank you for confirmation . :) 

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Wednesday, February 19, 2020 5:59 AM