25,134 questions
MFA with NPS extension for Linux based ThinClient not working
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 23%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
Jos
106
Reputation points
We are using:
- Domain controller with NPS extension
- RDP-Broker which is also the RDP-Gateway
- Two RDS Host servers connected
When connecting from Windows it works fine, we get a push message and after approving it, the connection has been made.
When trying the same from a Linux machine (ubuntu) or a HP ThinClient we noticed that it got stuck after confirming the push message.
Underneath it is using xfreerdp.
We tested these scenario's from our Linux machine (ubuntu) with xfreerdp:
- only providing broker (without settings DefaultTsvUrl and providing load-balance-info) = Working (no MFA)
- providing both gateway and broker (without settings DefaultTsvUrl and providing load-balance-info) = Working (with MFA)
- only providing broker (with providing load-balance-info to connect to the RDS hosts) = Working (no MFA)
- providing both gateway and broker (with providing load-balance-info to connect to the RDS hosts) = Not working (hanging after providing MFA confirmation)
We already found these topics, but still no luck:
We have no idea why it stops.. Anyone any idea?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
Jos 106 Reputation points
2022-01-31T16:37:26.983+00:00 I also noticed that we have to enter our credentials twice for a linux machine but for a Windows device only once.
Besides this I noticed that after approving the MFA request for the first login, when I way then for about 10 seconds and then entering the password for the second time, the MFA request works fine. When entering it to fast (within 10 seconds, what normal users will do) it will not send a push notification to my phone. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shashi Shailaj 7,631 Reputation points Microsoft Employee Moderator2022-02-01T16:58:59.703+00:00 @Jos ,
I think NPS extension with Linux and FreeRDP is not officially supported by Microsoft and the issue can be at any point . Its great that you have been able to get it working in your scenario . Whenever you have the error , have you checked the logs at the server where you have NPS extension installed. . NPS extension logs are found in Event Viewer under Applications and Services Logs > Microsoft > AzureMfa > AuthN > AuthZ on the server where the NPS Extension is installed. Please check the same with the help of this article https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-errors and let us know what everts you get and accordingly we will take this further.
Thank you .
-
Jos 106 Reputation points
2022-02-02T07:32:45.387+00:00 Thanks for your reply. A small correction "get it working" is pretty relative, because this isn't a solution for us. We found a way to be able to get in, but it isn't a solution.
Within AzureMfa > AuthZ:
1] NPS Extension for Azure MFA: Exception in Authentication Ext for User ErrorCode:: REQUEST_FORMAT_ERROR Msg:: Request cannot be processed without userName attribute Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed troubleshooting steps.
2] NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended.This is not an error.
Sign in to comment
Sign in to answer