NPS + 802.1x = Azure MFA NPS extension error DS_CONVERSION_ERROR

Anonymous
2024-09-11T02:01:16+00:00

Hi there,

Have an NPS server working with the Azure MFA for authenticating users. Trying to add 802.1x Wired to it using PEAP-TLS, but authentication is being rejected with the below errors.

AuthZOptCh error log:

NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User host/{FQDN of the computer} with response state AccessChallenge, ignoring request.

AuthZAdminCh error log:

NPS Extension for Azure MFA: User not found in on-premises Active Directory. Exception retrieving UPN for  User::[host/{FQDN of the computer}] RadiusId::[154] exception ErrorCode:: DS_CONVERSION_ERROR Msg:: No mapping between account names and security IDs was done.

 Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed troubleshooting steps.

Interestingly, there is no mention of the error code DS_CONVERSION_ERROR in the suggested URL, and hardly any on internet!

Appreciate any help.

Cheers

Ali

Windows for business | Windows Server | Networking | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes
Accepted answer
  1. Anonymous
    2024-11-19T07:32:51+00:00

    Glad you found a workaround. Regarding the issue you mentioned about 802.1x PEAP-TLS authentication with Azure MFA, here are my recommendations:

    1. About Azure MFA and 802.1x compatibility
      802.1x PEAP-TLS authentication with Azure MFA is possible, but in some cases, compatibility issues may be encountered. Azure MFA is primarily used for user authentication, while 802.1x authentication typically involves machine authentication. In this case, you may encounter some limitations, especially in the authentication process for computer objects.
    2. Recommendations for using two NPS servers
      The workaround you mentioned to whitelist IPs in the NPS server registry is an effective temporary solution. Indeed, many organizations choose to use an architecture with two NPS servers: one for user authentication (with Azure MFA) and one for machine authentication (without Azure MFA). This practice reduces potential conflicts and complexity, ensuring that each authentication method works correctly.
    3. Best Practices
      Split authentication: If you have a large number of 802.1x authentication requests in your environment, we recommend that you use two NPS servers. This ensures that traffic for machine authentication and user authentication doesn't interfere with each other.
      Monitoring and logging: Ensure that the logs of both NPS servers are monitored so that potential issues can be identified and resolved in a timely manner.

    Best Regards,

    Jill Zhou

    0 comments No comments

7 additional answers

Sort by: Most helpful
  1. Anonymous
    2024-09-13T06:44:29+00:00

    Hi Jill

    Thanks for your detailed response.

    Please see below.

    1. Authentication is only done for computer, and its UPN has the same format/value as the one in the RADIUS request (showing in NPS logs) i.e. both are host/{FQDN of the computer}
    2. The computer object is valid & enabled
    3. Do you mean the hostname command? Also how can I "Check the identity mapping settings of the NPS server to ensure that it is able to resolve and find the appropriate Security Identity (SID) correctly"?
    4. Confirming that NPS extension is properly integrated with Azure MFA as it has been working for user authentications (separate from 802.1x implementation. As for the 802.1x policy, I'm using PEAP + EAP-TLS (Smartcard or other certificate)
    5. Triple checked
    6. Logs seem to be in their most detailed mode. I am checking the logs in Server Roles -> Network Policy and Access Services and AzureMFA -> AuthN & AuthZ as well as log files in C:\windows\system32\LogFiles but haven't been able to find the issue

    Cheers

    Ali

    0 comments No comments
  2. Anonymous
    2024-09-18T03:06:40+00:00

    Hi Jill

    Wondering if you've seen my previous post?

    Cheers

    Ali

    0 comments No comments
  3. Anonymous
    2024-09-11T07:04:36+00:00

    Hello,

    Thank you for posting in Microsoft Community forum.

    Depending on the issue you are experiencing, here are some possible causes and solutions for the 802.1x authentication error with Azure MFA on the NPS server:

    Problem Analysis:

    AccessChallenge Error:

    The NPS extension only performs second-factor authentication in the "AccessAccept" state, while you receive an "AccessChallenge" status indicating that the initial authentication failed.

    DS_CONVERSION_ERROR:

    An error message indicates that the user was not found in the local Active Directory and may be related to a UPN mapping issue.

    Solution:

    1. Ensure that the user and computer accounts attempting to authenticate are valid in Active Directory and that the UPN format (such as ******@domain.com) is correct.
    2. Ensure that the computer account for PEAP-TLS authentication is valid in Active Directory and can be recognized by the NPS server. Sometimes a computer account may be disabled or deleted, making it impossible to authenticate.
    3. Check the identity mapping settings of the NPS server to ensure that it is able to resolve and find the appropriate Security Identity (SID) correctly. You can check if your computer's SID is properly mapped to Active Directory at the command prompt by running the whoami command.
    4. Confirm that the policy and certificate for 802.1x authentication are configured correctly and check that the NPS extension is properly integrated with Azure MFA.
    5. If possible, ensure that the 802.1x settings for all network devices (switches or routers) also match the settings for NPS and Azure MFA. Sometimes, there may be inconsistencies between the settings of the device and NPS.
    6. Increase the NPS log level to get detailed information to help further diagnose the problem.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Regards,

    Jill Zhou

    0 comments No comments
  4. Anonymous
    2024-09-20T05:56:48+00:00

    Thanks for your reply.

    I'm very sorry I missed your information.

    Based on the information you provided, here are some suggestions:

    1. Ensure that the UPN of the computer object is consistent with that in the RADIUS request and can be viewed in Active Directory.
    2. In the NPS Management Console, check the conditions and authentication settings of the 802.1x policy to ensure that they are configured correctly.
    3. Run whoami /user to confirm the current user's SID and compare it with the SID in Active Directory.
    4. Try restarting the NPS service or computer, which may resolve the temporary issue.

    If the problem persists, provide more log information for further analysis.

    Best wishes!

    0 comments No comments