NPS Extension - no prompt for 2nd step authentication (after working fine)

Pedro Duque 26 Reputation points
2021-03-14T11:03:34.477+00:00

Hi,

I've configured NPS with NPS extension to connect to my Azure Tenant. I also configured MFA in the required accounts.

The objective was to have our VPN authenticating against AD using MFA.

After configuring the VPN everything was working well. Every time I logged in I was asked for a 2nd authentication step in the app.

Unfortunatly this behaviour stopped.

Now I can login in the VPN without the 2nd step authentication although if I look at event log (Applications and Services Logs/Microsoft/AzureMfa/AuthZ/AuthZOptCh) in NPS server I get the expected message "NPS Extension for Azure MFA: CID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx : Access Accepted for user xxxx@xxxxxxxxxxxxx .xxx with Azure MFA response: Success and message: session xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx".

Any clues?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2021-03-16T21:18:49.113+00:00

    It sounds like there is something missing in your NPS server configuration. Please confirm that you have configured all of your NPS server settings to match what's in the document in the "Configure NPS Components on Remote Desktop Gateway" and "Configure NPS on the server where the NPS extension is installed" sections. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg#configure-nps-components-on-remote-desktop-gateway

    It is also worth noting that two-way SMS and OTP MFA are not guaranteed for the NPS extension due to multiple factors that can affect the service, and it's recommended to stick to app authentication or phone call. If the users are configured for two-way SMS that may be related to the issue.

    To troubleshoot what may be causing the problem you can also check the NPS server event logs.

    78472-npsevents.jpg

    https://learn.microsoft.com/en-us/answers/questions/28247/azure-mfa-nps-extension-no-mfa-prompt-on-logon.html

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Pedro Duque 26 Reputation points
    2021-03-16T21:47:15.657+00:00

    When I checked the date on the eventviewer I noticed that the extension was not processing the events. It were old logs.##It was slved with an update and server restart.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.