Share via

MFA number matching with NPS and RDS Gateway

Info - Envodi ICT Solutions 0 Reputation points
2023-05-25T15:46:30.8433333+00:00

My customer is using a RDS gateway server with NPS for the Multi Factor Authentication. When users are logging in they get a push in the Authenticator app.

When a user logs in on Outlook Webmail, the Authenticator app asks for a number (number matching).

In this article it looks like there is a way to enable number matching on the RDS Gateway: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

I cannot get this working. Is this possible at all? If yes, is there some more extensive manual to achieve this?

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Authenticator

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-05-26T23:50:31.0266667+00:00

    @Info - Envodi ICT Solutions

    As mentioned in the article, there is a RegEdit for "OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE"  to allow fall back to Approve/Deny for the RDS Gateway. PAP protocol must be used for TOTP. https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match

    RDG only supports Phone Call or Push Notification. Radius Auth in general, which would include the NPS Extension, does not support Number Matching.

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.