NPS Extension for MFA Error "Unable to get Azure AD access token"

Mike Hamsa 5 Reputation points
2023-10-18T15:42:23.69+00:00

We are currently using the Windows VPN client with Meraki VPN with authentication handled with RADIUS and an on-premises NPS server. This has been working. Now we are attempting to add MFA support using the NPS Extension for Microsoft Entra multifactor authentication. We've got the extension installed and configured. However, when users attempt to log into the VPN service, we are seeing the following error on the NPS server:

ESTS_TOKEN_ERROR Msg:: Unable to get Azure AD access token. [Reason:The connection with the server has been terminated.][Code:3400019710]

When we run the troubleshooter PS script and use option 1 to disable the NPS extension, users can log into the VPN server (without MFA)

When we use the troubleshooter PS script and use option 2, everything is successful except for "Checking accessiblity to https://login.microsoftonline.com" which fails.

We have verified that we CAN access https://login.microsoftonline.com from the NPS server.

Any ideas?

Microsoft Security | Microsoft Entra | Other
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-10-18T19:42:36.6433333+00:00

    Hi @Mike Hamsa

    That error means that the extension is not being able to authenticate itself against AAD. Can you confirm which server version you are using? I saw a customer recently facing the same error with NPS deployed on a 2012 R2 server, and he was able to resolve the issue by redeploying on a 2019 machine.

    You mentioned that the user is able to communicate with login.microsoftonline.com. Please confirm though that your firewalls are open bidirectionally for traffic to and from https://adnotifications.windowsazure.com and https://login.microsoftonline.com using ports 80 and 443. It is also important to check that on the DIAL-IN tab of Network Access Permissions, the setting is set to "control access through NPS Network Policy".

    You will also see this error if you have not yet upgraded to TLS 1.2, in which case upgrading will resolve the issue.

    Do they have an internet proxy or network security software that could be blocking traffic?

    Additionally, if you can share any logs you have, it will help me to better diagnose the issue. If the primary authentication is failing this will need to be addressed by the Windows networking team.

    If you have confirmed all of these things and still face the issue, it would be worth creating a support case to look into your environment. If you would like to have a support case opened, you can reach out to me at AzCommunity@microsoft.com ("Attn: Marilee Turscak") and include your subscription ID and a link to this thread, and I will have one enabled for you.

    If the information helped you, please Accept the answer. Otherwise let me know if you have further questions.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.