AZURE NPS Extension Cross-forest authentication issue RRS feed

  • Question

  • Scenario:

    Resource Forest A (with NPS extension)

    User Forest B


    User from Forest B is sending RADIUS auth requests to an NPS server in Forest A with their SamAccountName (forestB\samaccountname).  

    The NPS server then forwards this auth request to a Domain Controller in Forest B to authenticate.  

    However the issue is that MFA NPS Extension looks in forest B for the upn of the user (USERNAME@FORESTB.local). 

    After attempting to add forestB to LDAP_LOOKUP_FOREST, we get this error:

    ALTERNATE_LOGINID_ERROR, Exception retrieving UPN, USER NOT FOUND ON PREM Activedirectory.

    Any ideas?

    • Edited by Frank Hu MSFT Thursday, November 7, 2019 12:17 AM Fixed some grammar issues
    Wednesday, November 6, 2019 3:04 PM

All replies

  • Hello AvaTheQueen208,

    It sounds like there's an issue with the way you've setup your alternate_loginid. 

    Per the docs here :  https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-advanced#alternate-login-id

    You should be able to setup the attribute to pull up the Samaccountname by modifying the LDAP_ALTERNATE_LOGINID_ATTRIBUTE

    In addition to that the errors for the NPS extension along with troubleshooting steps can be found here : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-errors

    The steps for troubleshooting are described here : 

    ALTERNATE_LOGIN_ID_ERROR Error: Alternate LoginId lookup failed

    Verify that LDAP_ALTERNATE_LOGINID_ATTRIBUTE is set to a valid active directory attribute.

    If LDAP_FORCE_GLOBAL_CATALOG is set to True, or LDAP_LOOKUP_FORESTS is configured with a non-empty value, verify that you have configured a Global Catalog and that the AlternateLoginId attribute is added to it.

    If LDAP_LOOKUP_FORESTS is configured with a non-empty value, verify that the value is correct. If there is more than one forest name, the names must be separated with semi-colons, not spaces.

    If these steps don't fix the problem, contact support for more help.


     Please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions. Thanks

    • Proposed as answer by Frank Hu MSFT Thursday, November 7, 2019 12:30 AM
    Thursday, November 7, 2019 12:30 AM
  • Dont think that is the issue, the usernames are in the cloud as UPN. Azure nps extension is not looking in the correct domain. I am using realm manipulation to prepend the hostname so NPS sends to correct domain, however the extension second factor does not check the domain in where primary auth occured.
    Thursday, November 7, 2019 12:44 PM
  • Hey AvaTheQueen208, 

    If you're still having an issue here after review the first answer and following the advice above, please email AzCommunity[at]microsoft[dot]com and I can enable a one time free support ticket. Please provide your Azure Subscription GUID and a reference to this thread. And hopefully we can get you on the right path again soon. 

    Please see : https://blogs.msdn.microsoft.com/mschray/2016/03/18/getting-your-azure-subscription-guid-new-portal/

    On how to get a subscription GUID.


    In addition to that once you are able to resolve your issue with the support engineer, please post your response on this thread so that future readers will be able to benefit from your solution. 


    - Frank Hu

    Friday, November 8, 2019 2:50 AM
  • Hello,

    Just checking to see if Frank's reply was helpful to you. If so, please remember to "mark as answer" so that others in the community with similar questions can more easily find a solution.

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, November 13, 2019 11:55 PM
  • Please let us know if you were able to resolve the issue from the replies before. If you still have more questions please let us know with some additional information regarding your question and we'll try to resolve it. It may require additional support escalation if we are unable to resolve this on this msdn thread. 

    If there's no more follow ups in regards to this, I will be marking an answer as answer. If you feel your question has not been answered please let us know anymore pending asks and we can try to follow up accordingly. 


    - Frank H.

    Tuesday, November 26, 2019 8:03 PM