Share via

NPS Extension for Azure MFA

Kristian Zanovello 0 Reputation points
2025-11-14T14:26:50.51+00:00

Hello,

I'm using NPS Extension for Azure MFA to connect with our Sophos VPN and everything work but now it doesn't work anymore.

Looking into event viewer Ive found this log info:

Server Roles -> Network policy and access services -> The request was discarded by a third-party extension DLL file

Applications and services logs -> microsoft -> azuremfa -> authzoptch -> ErrorCode:: ESTS_TOKEN_ERROR Msg:: Unable to get Azure AD access token. [Reason:Keyset not exist]

I've already try to uninstall and install the latest version of NPS extension but still doesnt work.

Anyone that have face the same issue?

Thanks

Kristian

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kristian Zanovello 0 Reputation points
    2025-11-14T15:14:32.6966667+00:00

    Already add manually permission to the certificate for NETWORK SERVICE user, still doenst work.

    0 comments
  2. Q&A Assist
    2025-11-14T14:27:13.55+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    It seems like you are encountering an issue with the NPS Extension for Azure MFA where the request is being discarded due to a third-party extension DLL file, and you are receiving an error related to obtaining an Azure AD access token. The specific error message you mentioned, "Keyset not exist," indicates that there may be a problem with the certificate or its permissions.

    Here are some steps you can take to troubleshoot this issue:

    1. Check the Certificate: Ensure that the self-signed certificate created by the NPS extension is present in the certificate store and that it has not expired. The certificate should be located in the Local Computer certificate store under Personal.
    2. Verify Permissions: Check that the private key of the certificate has "READ" permission granted to the user NETWORK SERVICE. This is crucial for the NPS extension to function properly.
    3. Recreate the Certificate: If the certificate is missing or corrupted, you may need to recreate it by running the AzureMfaNpsExtnConfigSetup.ps1 script again, ensuring you use the same tenant ID.
    4. Event Viewer Logs: Continue to monitor the Event Viewer logs for any additional error messages that could provide more context on the failure.
    5. Registry Keys: If you have made any changes to the registry keys related to Azure MFA, consider reverting those changes to see if it resolves the issue.

    If these steps do not resolve the issue, you may want to consult the troubleshooting section for the NPS extension for further guidance.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.