No MFA prompt being presented for NPS extension

Question

Background: We have on-premises AD, we've been running AAD Connect Sync for years. Trying to implement MFA required for software RDP within our organization. Accomplishing this via a local RDG not externally accessible, authenticating via the AAD MFA NPS extension.

Using documentation mostly from https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
Set up an RDG, works fine. Can connect via RDP software client with no problem. Connected it to a new NPS server, still works. Installed the MFA NPS extension, no longer works. Did run the certificate setup script successfully. The denial message is the generic Denied Access due to policy.
The only log generated, apart from the notification about no NASIPAddress attribute stuff recommendation, is "NPS Extension for Azure MFA: CID: - : Challenge requested in Authentication Ext for User CorrectUser with state -"
No challenge is ever presented to the user. The message makes me think that it is asking for the standard MFA prompt there to pass on to the user, but maybe I'm misinterpeting that log entry. The user can log in through portal.office.com with the required MFA on login, and even when running one of the troubleshooting scripts they're able to successfully authenticate with MFA on the prompt provided locally. What am I missing, why isn't an MFA prompt being presented?

Answer 1

Hey there,

I had exactly the same problem and was finally able to solve it by setting the following things in the MFA setup (https://aka.ms/mfasetup):

• Logon method: "Microsoft Authenticator"
• Default login method: "Microsoft Authenticator - Notifications"

It was important for me that the default login method was set to "Microsoft Authenticator - Notifications", so that the push notifications are sent.

Answer 2

Hi,

We have the same problem.

I am using the latest NPS extension.

With us, 10 users do not receive an MFA notification. As soon as they try to log in to the web client and start an RDP session, they get this message:

A connection to remote computer W2569RDCB02.P25.NL cannot be established for one of the following reasons:

1. Your user account is not authorized to access the RD gateway portal.stja.nl.
2. Your computer is not authorized to access the RD-gateway portal.stja.nl.
3. You are using an incompatible authentication method (for example, you are using a password but the RD Gateway expects a smart card).

Contact the network administrator for support.

[Expanded Information]

• Error code: 0x300001c

Extended error code: 0x0

All users can login from internal network.

All has the same login rights from outside of the corporate netwerk, but still some dont receive MFA alert on their mobile. MFA is already configure for push notification. They can login in office.com and receive the push notification.

Servers: Windows server 2022
RDS host session, Gateway, Broker and web

NPS Extension: 1.2.2131.2

WireShark data for access rejected alert:

Very strange situation. tried a lot of option without any positive results.

Answer 3

Hello @Ezra Strong

Thank you for your post.

I want to provide the following info which can be helpful for your concern. Please read below:

When a request comes in from an IP address that exists in the IP_WHITELIST, two-step verification is skipped. The IP list is compared to the IP address that is provided in the ratNASIPAddress attribute of the RADIUS request. If a RADIUS request comes in without the ratNASIPAddress attribute, a warning is logged: "IP_WHITE_LIST_WARNING::IP Whitelist is being ignored as the source IP is missing in the RADIUS request NasIpAddress attribute

Here are some relevant articles as well.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-advanced#ip-exceptions

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-errors

BR,