NPS Azure MFA Extension and RDG

Question

I've previously successfully used the Azure MFA NPS extension for my RDS Gateway - just built a replacement server (2019) for NPS and set up the RDCAP policies and migrated over - connections to the RD Gateway work fine.

Installed and configured the NPS MFA extension successfully - try to connect, I get an MFA notification as expected, approve the request but am just presented with an error on initiating connection.

The logs for the NPS extension state that authentication was successful, so the MFA part is working as it should, but the NPS log says reason 9 "The request was discarded by a third-party extension DLL file."

I've tried the troubleshooting script - all of the tests pass; interestingly, when it says it's disabled the MFA extension, it actually hasn't - however after uninstalling the extension, I am able to connect successfully again.

Any ideas?

Thanks in advance :)

Answer 1

Hi @O.Cooper · Thank you for reaching out.

I would suggest you to check below things that I have seen contributing to this issue:

1. Make sure you are using Authentication App Notification or Phone call. SMS and Authenticator App PIN requires entering the OTP, which is not possible in case of RDP.
2. Make sure you have downloaded latest version of NPS extension.
3. Make sure the shared secret under properties of RD Gateway, RADIUS Server (TS GATEWAY SERVER GROUP) and RADIUS Client is specified and contains same value. To be sure, set the shared secret again at all these places.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi,

I have made these changes and still am having no success.
The plugin worked previously on a (now-decommissioned) server 2012r2 NPS server - the only thing that has changed is the new NPS server (2019), running identical policies, registered in AD, etc, etc!

I have since removed the NPS MFA extension from the new server and tried setting up NPS on another 2012r2 server that is still in use. I have imported the same policies as found on the original (fully functional) server.

RDS connects perfectly without the NPS MFA Extension installed.

Once installed, I am receiving the MFA challenge via app notification - I am approving this and again, am receiving an error. The event viewer is recording the following for my connection attempt:

"NPS Extension for Azure MFA: CID: ~redacted~ : Access Accepted for user ~redacted~ with Azure MFA response: Success and message: session ~redacted~"

NPS log file:

<Event><Timestamp data_type="4">11/24/2020 22:48:23.355</Timestamp><Computer-Name data_type="1">~name redacted~</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 ~IP redacted~ 11/24/2020 22:48:03 3</Class><MS-Extended-Quarantine-State data_type="0">0</MS-Extended-Quarantine-State><MS-Quarantine-State data_type="0">0</MS-Quarantine-State><MS-Link-Drop-Time-Limit data_type="0">120</MS-Link-Drop-Time-Limit><MS-Link-Utilization-Threshold data_type="0">50</MS-Link-Utilization-Threshold><Client-IP-Address data_type="3">~redacted~</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">RDS Gateway</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">~redacted~</SAM-Account-Name><NP-Policy-Name data_type="1">RDG_CAP</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Framed-Protocol data_type="0">1</Framed-Protocol><Service-Type data_type="0">2</Service-Type><Fully-Qualifed-User-Name data_type="1">~redacted~</Fully-Qualifed-User-Name><Authentication-Type data_type="0">8</Authentication-Type><Packet-Type data_type="0">2</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>

The error that I am receiving in the RDS client is 0x3000001c.

The RDS Gateway records the following error:

The user "~redacted", on client computer "redacted", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".

And just to reiterate, the MFA Extension Troubleshooting script passes all tests, with the extension removed, RDS connects as expected, and I have the notification method configured for my account.

Thanks,
Ollie

Answer 3

Hi folks, any suggestions on this still? Really don't like running RDS without MFA.

Answer 4

The scenario above describes my exact issue. Also running 2019 and not able to get the extension to work. Has anyone solved this?

Answer 5

Hi OCooper-9790, did you manage to find a fix for this issue? I also just upgraded my 2016 remote gateway server to 2019. It has the exact same config but I am presented with the same errors in the event viewer.

I used the Azure NPS extension troubleshooting tool and it seems to point to the MFA being the issue because as soon as I remove the extension the NPS policies work perfectly. Doesn't make any sense.

Thanks