Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,227 questions
Azure - AD --> Azure Active Directory Doman Services + RDS 2019 MFA Login issues
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 54%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETI%3C/text%3E%3C/svg%3E)
Tech ID
1
Reputation point
Hi,
I have a Azure AD Premium P2 trial edition and Azure Active directory Domain services deployed in Australia south east region
Problem statement
Not able to integrate the MFA for RDS users on the RD-Gateway login.
Error
The user "domain\user", on client computer "xx.xx.xx.xx", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".
Also there is no option to turn on the “Call to phone” verification mode in multi-factor user settings
backgroud
Azure AD and Azure Active directory Domain services is setup for the VNet in Azure, this complete cloud solution
I have RDS server with RDWEB,RDGATEWAY, RD Connection broker , RD License server and RD Session host deployed on windows 2019 server domain joined to AADS
Additional server with NPS role and NPS extension configured and domain joined
{count} votes
-
Tech ID 1 Reputation point
2020-06-26T10:16:13.997+00:00 I followed this article
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-accessIn AADS we can't register the NPS servers in to the IAS group hence skipped this step as instructed
To integrate the Azure Multi-Factor Authentication NPS extension, use the existing how-to article to integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD.
The following additional configuration options are needed to integrate with a managed domain:
Don't register the NPS server in Active Directory. This step fails in a managed domain.
In step 4 to configure network policy, also check the box to Ignore user account dial-in properties.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 36,891 Reputation points Microsoft Employee2020-06-26T23:22:52.663+00:00 Are all users facing this problem or just some? Can you check on the NPS to ensure that the users are added? Please share any logs that you have.
-
Tech ID 1 Reputation point
2020-06-27T09:49:08.803+00:00 All the users are having issues to login to the RDS, below are the error on the RD Gateway, I have the logs of the NPS extension server.
The user "RAOGB\user2", on client computer "144.138.38.235", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".Below is the link of NPS server extensions logs uploaded on onedrive
-
Tech ID 1 Reputation point
2020-06-27T10:34:28.033+00:00 Hi Marilee, i fixed the issue after reviewing the logs in detail all good now and working as expected
Sign in to comment
Sign in to answer