NPS Extension for Azure MFA failing to generate MFA prompt

Question

NPS Extension for Azure MFA failing to generate MFA prompt

elflaco 20

Hi. We have signed up for the standard support plan in Azure and I raised a support request 18 days ago but have not received any responses. I also added a message to the ticket one week ago but did not receive a response.

Is this normal?

How do I go about receiving an update on the ticket?

Thanks.

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2025-01-06T11:00:02.8133333+00:00

@elflaco Apologies for the inconvenience. Could you please share the case details for reference? This will help us track and check the status of the case.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
elflaco 20 Reputation points

2025-01-06T11:05:06.94+00:00

@Givary-MSFT The Request ID is 2412190050002677. We are having difficulty configuring Azure MFA for RDS environment.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2025-01-06T12:03:01.2666667+00:00

@elflaco Thank you for sharing the case details, let me review the status and revert back.
Anonymous

2025-01-07T14:51:57.48+00:00
Hello elflaco,

Thank you for reaching out to Microsoft Q&A.

We understand that you are trying to configure Azure MFA for an RDS environment, but your users are not receiving MFA prompts on their phone. Further, you have also noticed an error in the Event Viewer on the Gateway server that “The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond”. As per the error, we could see RD Gateway is not receiving the response from NPS server.

After reviewing the situation, I would like to suggest a few troubleshooting steps to help resolve the issue:

In RD Gateway, please ensure that correct IP address or name of NPS server are added.

Ensure that users accounts are properly configured for phone verification or the Microsoft Authenticator App with Approve/Deny push notifications if not the user won't be able to complete the Microsoft Entra multifactor authentication challenge and sign in to Remote Desktop Gateway.

Don't install the NPS extension on your Remote Desktop Gateway (RDG) server. The RDG server doesn't use the RADIUS protocol with its client, so the extension can't interpret and perform the MFA. Also, configure certificates for use by the NPS extension to ensure secure communications and assurance.

To ensure there is time to validate user credentials and perform two-step verification, receive responses, and respond to RADIUS messages, it is necessary to adjust the RADIUS timeout value correctly.

Also check the network problems like incorrect DNS or firewall settings make it impossible to accept MFA challenges correctly.

There may be delays in the MFA service itself, or users may not be answering the MFA prompt immediately. The authentication flow may be impacted if the MFA server is overloaded or suffering delays.

Please let us know if you have any further queries.

Thanks & Best Regards

Janaki Kota
elflaco 20 Reputation points

2025-01-07T15:51:34.8+00:00

Hi @Anonymous Thanks very much for your response. Would it be possible for us to have a phone call with a Microsoft engineer? We are signed up for the Standard support plan and I had hoped to have a call as that would make it a lot easier to discuss our support ticket.

Accepted answer

0 additional answers

Your answer

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2025-01-06T11:00:02.8133333+00:00

@elflaco Apologies for the inconvenience. Could you please share the case details for reference? This will help us track and check the status of the case.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
elflaco 20 Reputation points

2025-01-06T11:05:06.94+00:00

@Givary-MSFT The Request ID is 2412190050002677. We are having difficulty configuring Azure MFA for RDS environment.
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2025-01-06T12:03:01.2666667+00:00

@elflaco Thank you for sharing the case details, let me review the status and revert back.
Anonymous

2025-01-07T14:51:57.48+00:00

Hello elflaco,

Thank you for reaching out to Microsoft Q&A.

We understand that you are trying to configure Azure MFA for an RDS environment, but your users are not receiving MFA prompts on their phone. Further, you have also noticed an error in the Event Viewer on the Gateway server that “The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond”. As per the error, we could see RD Gateway is not receiving the response from NPS server.

After reviewing the situation, I would like to suggest a few troubleshooting steps to help resolve the issue:

In RD Gateway, please ensure that correct IP address or name of NPS server are added.

Ensure that users accounts are properly configured for phone verification or the Microsoft Authenticator App with Approve/Deny push notifications if not the user won't be able to complete the Microsoft Entra multifactor authentication challenge and sign in to Remote Desktop Gateway.

Don't install the NPS extension on your Remote Desktop Gateway (RDG) server. The RDG server doesn't use the RADIUS protocol with its client, so the extension can't interpret and perform the MFA. Also, configure certificates for use by the NPS extension to ensure secure communications and assurance.

To ensure there is time to validate user credentials and perform two-step verification, receive responses, and respond to RADIUS messages, it is necessary to adjust the RADIUS timeout value correctly.

Also check the network problems like incorrect DNS or firewall settings make it impossible to accept MFA challenges correctly.

There may be delays in the MFA service itself, or users may not be answering the MFA prompt immediately. The authentication flow may be impacted if the MFA server is overloaded or suffering delays.

Please let us know if you have any further queries.

Thanks & Best Regards

Janaki Kota
elflaco 20 Reputation points

2025-01-07T15:51:34.8+00:00

Hi @Anonymous Thanks very much for your response. Would it be possible for us to have a phone call with a Microsoft engineer? We are signed up for the Standard support plan and I had hoped to have a call as that would make it a lot easier to discuss our support ticket.

Answer 1

Hello elflaco,

Thank you for connecting offline to discuss about your issue.

We see that you are looking to secure remote access to virtual machines that run in a Microsoft Entra Domain Services managed domain, using Remote Desktop Services (RDS) and Network Policy Server (NPS).

As discussed, there are two factors that affect which authentication methods are available with an NPS extension deployment:

The password encryption algorithm used between the RADIUS client (VPN, Netscaler server, or other) and the NPS servers.

PAP supports all the authentication methods of Microsoft Entra multifactor authentication in the cloud: phone call, one-way text message, mobile app notification, OATH hardware tokens, and mobile app verification code.

CHAPV2 and EAP support phone calls and mobile app notification.

The input methods that the client application (VPN, Netscaler server, or other) can handle.

The NPS Extension for Microsoft Entra multifactor authentication is available to customers with licenses for Microsoft Entra multifactor authentication (included with Microsoft Entra ID P1 and Premium P2 or Enterprise Mobility + Security). Consumption-based licenses for Microsoft Entra multifactor authentication, such as per user or per authentication licenses, aren't compatible with the NPS extension.

Sharing relevant document for reference: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension#licenses

Thanks & Best Regards

Janaki Kota

If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily. Thank you very much!

Share via

NPS Extension for Azure MFA failing to generate MFA prompt

0 additional answers

Your answer