An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request

Christophe 121 Reputation points

I am trying to configure a NPS server so I can leverage Azure MFA.

The event viewer shows this error when trying to connect "An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request"

I reinstalled the NPS extension, restarted the server but I still get the same error.

What can be the issue?


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,445 questions
{count} votes

Accepted answer
  1. Christophe 121 Reputation points

    Good evening,

    I finally resolved the issue by re configuring the network policy constraints.
    I was trying to configure MFA for AWS Worskspace using PAP.
    I chose "Unencrypted authentication (PAP, SPAP)" and that did not work even it seems that it was the correct choice.
    I picked to default:
    That worked
    I would have hoped that the message displayed in the event viewer could have been clearer


    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,246 Reputation points Microsoft Employee

    Hi @Christophe-2684

    I recommend trying the troubleshooting MFA NPS extension article and also checking the NPS Health ScripAzure-MFA-NPS-Extension-648de6bbt. NPS extension only performs secondary authentication for Radius Requests which have the "Access Accept" state. You may need to configure the NPS Extension again (though I know you mentioned you already did this).

    As stated in the troubleshooting documentation, the DLL error can happen due to the following possible issues:

    • The wrong tenant ID was provided while configuring the NPS extension .
    • The user for which NPS rejects the requests have unicode characters in their passwords. The -
      NPS does not support Unicode passwords and it can fail for that reason Try changing user's password . We have a product backlog item open for this.
    • Timeout observed within any firewall that you may have within your network.
    • The NPS server is not set to ignore dial-in tab access permissions set on user objects in Active Directory.
    • Verify that your firewalls are open bidirectionally for traffic to and from .

    During my own setup of this extension I have received this error when the request was timing too soon, when the latest version of the extension was not installed, and when there were old certificates on the server that needed to be removed.

    If the request is timing out too soon, make sure that it's set to at least 60 seconds to give enough time for the request to succeed. 11439-radiustimeout.png

    Make sure also you have the latest version of the extension installed. Older versions sometimes threw that DLL error.

    Finally, make sure that there aren't any duplicate or old certificates on the server.

    You can check for old certificates using:

     Get-MsolServicePrincipalCredential -AppPrincipalId "app-principal-id" -ReturnKeyValues 1

    Then you can remove duplicates using:

     Remove-MsolServicePrincipalCredential -AppPrincipalId "app-principal-id" -KeyIds <enterkeyidhere>

    See also the related discussions:

    2 people found this answer helpful.
    0 comments No comments

  2. Akira Asano 0 Reputation points


    I tried installing the NPS extension as well however it returned an error message

    "An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request."

    Any idea?

    0 comments No comments