Windows 2022 RD Gateway Azure Multifactor

Question

Hi,

I have recently setup a new Remote Desktop Gateway/Farm which is Windows 2022 and have setup azure multifactor on it - this points to a Windows 2016 NPS, which in turn authenticates the Multifactor as per the MS article (https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg) - this setup all works fine.

I also have Windows 2022 NPS server, if I point the RDS Gateway at the Windows 2022 server instead of the Windows 2016 server it will only ever authenticate once then will not work again until the NPS service is restarted or the server is rebooted - this is one only, not once per user.

I have checked all settings against the Win2016 NPS server and there is no difference. I tried creating new catch all rules on the server for the NPS ports and have also tried the command
sc sidtype IAS unrestricted
which was supposed to fix this type of problem on Win2019 (https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-firewalls-configure)

Nothing seems to resolve the issue, I can work around it for now by continuing to use the Windows 2016 NPS, but long term this isnt viable.

Any ideas?

Thank you.

Answer 1

Workaround is as follows:
-Open NPS on your Gateway Server, Goto Policies > Connection Request Policies > TS GATEWAY AUTHORIZATION POLICY
-Go to the settings tab then Accounting, then untick "Forward accounting requests to this remote RADIUS server group".

-Once this is done restart the NPS service on both the DC and the Gateway, ensuring that the DC service comes up first.
-You will still be able to look at any logs, they just won't be forwarded onto the DC.

Jack

Answer 2

@Jamie Pearson

Any events you see in the event logs ( application, system or nps events ) at the time of issue.

Have you tried with another windows server 2022 ?

Answer 3

Hi,

As per my previous post I have setup a fresh copy of Windows 2022 and installed only all windows updates and the NPS server role.

Set it up as per the rdg mfa guide linked above and I get the exact same issue.

The authentication works the first time as it should, but on subsequent tries nothing happens.

In the event logs on the RDS Gateway server it logs...
The remote RADIUS server IP Address has not responded to 5 consecutive requests. The server has been marked as unavailable.

On the new NPS server I do see a security event relating to the request as follows:
Event ID 6274
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: NULL SID
Account Name: mydomain\mytestuser
Account Domain: mydomain
Fully Qualified Account Name: mydomain\mytestuser

Client Machine:
Security ID: NULL SID
Account Name: mypc.mydomain.co.uk
Fully Qualified Account Name: mydomain\mypc$
Called Station Identifier: UserAuthType:PW
Calling Station Identifier: -

NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -

RADIUS Client:
Client Friendly Name: Gateway
Client IP Address: gatewayipaddress

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: Win2022NPS.mydomain.co.uk
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Reason Code: 10
Reason: The request was discarded because an extension dll crashed or malfunctioned.

So seems like something within the NPS files or the MFA extension not working as it should?

I am using the NPSExtnForAzureMfaIntsaller v 1.1.1892.2

Thank you,
Jamie

Answer 4

We're experiencing the exact same issue with the exact same behavior on server 2022, we're forced to use 2016/2019.

I can't seem to find any other posts about this issue but Microsoft needs to provide a fix, we tried updating the server to the May cumulative update and it still isn't working.

Answer 5

same here, also MS support case opened

so far anyone solved this?