This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 87%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWC%3C/text%3E%3C/svg%3E)
Hi
I am trying to setup a new NPS server with the NPS Extension for Azure MFA to control access to an RDS server on-prem. Authentication works fine when not using the NPS Extension.
With the NPS Extension enabled, the user does not receive an MFA prompt, only an access denied message.
The AuthZOptCh logs shows only the below entry
NPS Extension for Azure MFA: CID xxxxxxxxxxxxxxxxx : Challenge requested in Authentication Ext for user Domain\UserName with state xxxxxxxxxxxxxxxxxxxxxxxx
There are no other entries and nothing else logged. AzureAD logs show no success or failed sign-in attempts.
I have the latest version of the MFA extension.
I'm aware there are issues with MFA number matching and have set OVERRIDE-NUMBER-MATCHING-WITH-OTP to TRUE in the registry as Microsoft document.
The user's default authentication method is Microsoft Authenticator - Notification
Of course, there are no issues with MFA authentication when accessing Office 365.
Please could someone help to work out what is wrong
Thanks,
Warren.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi Warren,
We noticed your feedback that the answer on this thread was not helpful.
Thank you for taking time to share your feedback. Kindly let us know what we could have done better to improve the answer and make your experience better.
Since we were able to clarify the response in the latest post offer extended offline support, I request that you would kindly re-take the survey for your experience on this thread.
However, if you remain unsatisfied with the level of support, please let us know how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback. Looking forward to your reply. Much appreciate your feedback!
Marilee
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 11%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
Has this been resolved?
We are experiencing an issue with our VPN not prompting MFA after user/pass is entered. We've uninstalled/updated NPS extension thinking that the communication with Azure was the issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 84%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJC%3C/text%3E%3C/svg%3E)
set
OVERRIDE-NUMBER-MATCHING-WITH-OTP to FALSE this will resolve the issue you are describing its because the NPS- Mfa Extension does not support Number Matching
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 57.00000000000001%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELM%3C/text%3E%3C/svg%3E)
Dears,
I just fixed the event. In my case it was related to the version of the NPS extension where from version 1.2.2216.1 the TOTP authentication method is requested. I found references to turning the authentication type back to Approve/Deny in the references below.
To solve it, I just had to add the entry OVERRIDE_NUMBER_MATCHING_WITH_OTP as "FALSE" in the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa".
Hope this helps.
Leandro Marques.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 56.00000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
AWESOME, thanks! Works for me.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 70%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVL%3C/text%3E%3C/svg%3E)
Thank you so much for posting this! A gente nunca sabe a quem vai ajudar. Atitudes como essa fazem a diferença. Valeu demais
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 75%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMO%3C/text%3E%3C/svg%3E)
Should the registry key change be on the NPS server, or the client performing authentication?
Hi, Mark. On the NPS server. Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 44%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKE%3C/text%3E%3C/svg%3E)
Thanks! This works for me too. After latest patch the mfa prompt in Authenticator did not popup and the remot desktop connection failed with an error. After some digging it turns out it was the NPS server and especially the nps extenions for azure mfa, version 1.2.2131.2
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 8%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEK%3C/text%3E%3C/svg%3E)
Perfect! I was trying to figure out why this is not working for me for a few days, and this was exactly the solution! The moment the registry setting was set to FALSE (remember this is a STRING value) on NPS server, and the services reloaded, my authenticator started asking to confirm logon, reverting back to the old Yes/No question, both for SSL and IKEv2 VPN clients.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
oh my goodness you are the best Leandro. I have been troubleshooting this for days and this comment was the only place I found this answer!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 92%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Thanks Leandro - worked for me. Also had to restart NPS service after change.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 86%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Thanks Leandro this solution worked well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 47%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
Fantastic! This worked. Leandro, THANK YOU!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 48%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Thanks! This works for me too.
Hello @Warren Calvert !
At this point i can offer a detailed reading of the Guide
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
Especially at the end
Please tell us how are you Syncing to Azure AD ?
Do you have Premium P1 Licenses or Licenses with MFA for the users ?
Sorry for asking but we need every small detail as you can understand
This is a straight forward setup so something is amiss
Post you info , again read carefully the guide and the prerequisites
If there is a Firewall Disable packet inspection for the NPS Server
Also verify TIME is correct on server
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Also @Warren Calvert please see this :
|AccessDenied|Caller tenant does not have access permissions to do authentication for the user|Check whether the tenant domain and the domain of the user principal
name (UPN) are the same. For example, make sure that ******@contoso.com
is trying to authenticate to the Contoso tenant. The UPN represents a
valid user for the tenant in Azure.|
| -------- | -------- | -------- |
|Also Are there Conditional Access Policies , or Tenant Secuity Defaults ? Per User MFA enforced or Identty protection controls ( Sig In risks etc) ?|
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards
Hi Konstantinos
Thanks for your reply. That article is the one I followed.
I'm syncing AzureAD using AzureAD Connect with PHS
Users have M365 E3 licenses
Time is correct.
I'm hoping someone has seen this issue and can offer some advice for resolving it.
Thanks,
Warren.
These are common root causes for this issue:
Note that the Network Policy Server (NPS) does not support the use of the Extended ASCII characters within passwords and this limitation can lead to access issues. https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices
Please also verify the following:
If you can reproduce the issue, it would be helpful if you could collect a network trace and provide event logs when this issue occurs.
Does this issue only occur for the one user or are there multiple users who are affected?
Feel free to reach out to me at ******@microosft.com ("Attn: Marilee Turscak") to further troubleshoot. Please also include your subscription ID and a link to this issue if you'd like to get a one-time free support case opened to look into this.
If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar issues.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 48%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAJ%3C/text%3E%3C/svg%3E)
Good afternoon , We have installed the NPS extension and followed the guides from Microsoft on setting up the RDS , the Guides are not straight forward in the NPS setup of the RD-CAP policy and Radius client setup on each server the RD Webserver and the NPS server we are receiving a large amount of errors in the logs , such as NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute. Populating atleast one of these fields is recommended. This is not an error. NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User Domain\username with response state AccessReject, ignoring request. Reason: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request. I am going to post screen shots of my setup on the RD and NPS server if someone could provide some InSite would be excellent RD WEB server NPS settings RDWEB - NPS1.png 2RDWEB - NPS1.png 3RDWEB - NPS3.png 3RDWEB - NPS4.png NPS Server - NPS settings NPS-Server1.png NPS-Server2.png NPS-Server3.png NPS-Server4.png
Hi, all.
I have the same problem. I needed to update the certificate that had expired and later update the NPS Extension for Azure MFA and after updating the problems started.
I couldn't find the source of the problem. However, the settings are all correct, as the deployment was carried out with the responsible team at Microsoft.
I believe it's something after updating the NPS extension, but the logs are too simplistic to handle the problem.
If you have any ideas on possible treatments, I'd appreciate it.
Regards,
Leandro Marques.