Azure MFA not responding to NPS requests

J. Kellner 1 Reputation point
2020-03-11T16:32:16.077+00:00

I've been trying unsuccessfully to buy tech support from Microsoft for over a week, so I figured I'd try here instead.

I have followed the guide at https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg to set up a Remote Desktop Gateway using Azure MFA. All the components appear to be working, but when I try to log in with MFA, it just sits there for several seconds then fails without prompting for MFA.
Logging in without MFA works.
I have run the health check script at https://gallery.technet.microsoft.com/Azure-MFA-NPS-Extension-648de6bb and it gives a clean bill of health.
The final message in the AuthZOptCh log is
"NPS extension for Azure MFA: CID: <string> : Challenge requested in Authentication Ext for User CONTOSO\Alice with state <string>"
But there is no subsequent entry, and the MFA challenge never happens.
What is going on? Why is Azure not issuing the MFA challenge?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,099 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 33,056 Reputation points Microsoft Employee
    2020-03-12T00:34:20.053+00:00

    Hi @J. Kellner ,

    This has happened to me with the NPS extension before. I eventually found the trace logs and had a DLL error and was able to resolve this by reconfiguring some of my settings in the extension, enabling Azure Multi-Factor Client Auth (which was disabled in my tenant), and downloading the most recent version of the NPSExtensionInstaller. I also had multiple certificates configured and had to remove the extra ones. (My setup had a lot of things missing, which probably won't be the case for you.)

    Some things that help:

    1. Check the Auth logs in the event viewer.
    2. Check the MFA server logs
      C:\Program Files\Multi-Factor Authentication Server\Logs.
    3. Check the MFA logs from the Azure portal itself - MFA Portal > Usage > User Details
    4. Enable MFA Client Auth if it's disabled.
      (Screenshot won't attach but it's under "All Applications.")

    If you're having trouble getting a support case created I can also enable one for you if you send your subscription ID to AzCommunity@microsoft.com

    0 comments No comments

  2. Philipp Heißler 6 Reputation points
    2022-12-19T14:48:06.777+00:00

    Hey there,

    I had exactly the same problem and was finally able to solve it by setting the following things in the MFA setup (https://aka.ms/mfasetup):

    • Logon method: "Microsoft Authenticator"
    • Default login method: "Microsoft Authenticator - Notifications"

    It was important for me that the default login method was set to "Microsoft Authenticator - Notifications", so that the push notifications are sent.

    0 comments No comments