Remote Desktop Gateway and Azure AD Multi-Factor Authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 61%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Семенов Константин Владимирович
36
Reputation points
Hello,
I'm trying to setup Azure MFA for RDS using next manual https://learn.microsoft.com/en-us/azure/active-directory-domain-services/secure-remote-vm-access
I don't have on-premise Active Directory. All virtual machines connected to Azure AD DS. MFA feature enabled for all users in Azure AD. But there are no any attempts to approve the connection via Authenticator when I'm connecting to a VM with RDS Gateway. I checked the log at the NPS server and didn't find any attempts either. So it looks like Gateway doesn't send any request to NPS. All services are running without any issues on the NPS server and UDP ports are in the listening state. The only information message that I have on the Gateway is "The user "[username]", on client computer "xxx.xxx.xxx.xxx:xxxx", has initiated an outbound connection. This connection may not be authenticated yet." Could you please help to troubleshoot that issue? What should I check first?
Thank you!
Kind regards,
Konstantin
Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
Microsoft Security | Microsoft Authenticator
{count} votes
-
Семенов Константин Владимирович 36 Reputation points
2021-08-13T19:02:33.107+00:00 UPD #1: After rebooting NPS server start receiving next error message in the event log on NPS server:
"NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended.This is not an error."
-
Семенов Константин Владимирович 36 Reputation points
2021-08-14T06:12:52.547+00:00 UPD #2: Finally I start receiving approval requests to Microsoft Authenticator while I'm connecting via Remote Gateway. It seems I missed to create a Conditional Access policy.
But still can't connect to VM. There is an error I found in the Event Log on Gateway Server: The user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".
-
Семенов Константин Владимирович 36 Reputation points
2021-08-14T07:39:01.7+00:00 UPD #3: trying to add NPS server to RAS and IAS group according to manual: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754878(v=ws.11)?redirectedfrom=MSDN#to-register-the-nps-server-in-another-domain-using-active-directory-users-and-computers
but no luck.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 69%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Asger Schøldberg 1 Reputation point2021-10-06T06:25:06.623+00:00 Hi Konstantin
Did you ever resolve the issue?
kind regards
Asger
Sign in to comment
Sign in to answer