No MFA prompt being presented for NPS extension

Ezra Strong 6 Reputation points
2022-04-19T22:43:45.91+00:00

Background: We have on-premises AD, we've been running AAD Connect Sync for years. Trying to implement MFA required for software RDP within our organization. Accomplishing this via a local RDG not externally accessible, authenticating via the AAD MFA NPS extension.

Using documentation mostly from https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg
Set up an RDG, works fine. Can connect via RDP software client with no problem. Connected it to a new NPS server, still works. Installed the MFA NPS extension, no longer works. Did run the certificate setup script successfully. The denial message is the generic Denied Access due to policy.
The only log generated, apart from the notification about no NASIPAddress attribute stuff recommendation, is "NPS Extension for Azure MFA: CID: - : Challenge requested in Authentication Ext for User CorrectUser with state -"
No challenge is ever presented to the user. The message makes me think that it is asking for the standard MFA prompt there to pass on to the user, but maybe I'm misinterpeting that log entry. The user can log in through portal.office.com with the required MFA on login, and even when running one of the troubleshooting scripts they're able to successfully authenticate with MFA on the prompt provided locally. What am I missing, why isn't an MFA prompt being presented?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,534 questions
{count} vote

3 answers

Sort by: Most helpful
  1. Philipp Heißler 6 Reputation points
    2022-12-19T14:47:31.557+00:00

    Hey there,

    I had exactly the same problem and was finally able to solve it by setting the following things in the MFA setup (https://aka.ms/mfasetup):

    • Logon method: "Microsoft Authenticator"
    • Default login method: "Microsoft Authenticator - Notifications"

    It was important for me that the default login method was set to "Microsoft Authenticator - Notifications", so that the push notifications are sent.

    1 person found this answer helpful.

  2. WON 5 Reputation points
    2023-01-17T10:54:52.2166667+00:00

    Hi,

    We have the same problem.

    I am using the latest NPS extension.

    With us, 10 users do not receive an MFA notification. As soon as they try to log in to the web client and start an RDP session, they get this message:

    A connection to remote computer W2569RDCB02.P25.NL cannot be established for one of the following reasons:

    1. Your user account is not authorized to access the RD gateway portal.stja.nl.
    2. Your computer is not authorized to access the RD-gateway portal.stja.nl.
    3. You are using an incompatible authentication method (for example, you are using a password but the RD Gateway expects a smart card).

    Contact the network administrator for support.

    [Expanded Information]

    • Error code: 0x300001c

    Extended error code: 0x0

    All users can login from internal network.

    All has the same login rights from outside of the corporate netwerk, but still some dont receive MFA alert on their mobile. MFA is already configure for push notification. They can login in office.com and receive the push notification.

    Servers: Windows server 2022
    RDS host session, Gateway, Broker and web

    NPS Extension: 1.2.2131.2

    WireShark data for access rejected alert:
    User's image

    User's image

    Very strange situation. tried a lot of option without any positive results.

    1 person found this answer helpful.

  3. risolis 8,711 Reputation points
    2022-04-20T03:37:24.057+00:00

    Hello @Ezra Strong

    Thank you for your post.

    I want to provide the following info which can be helpful for your concern. Please read below:

    When a request comes in from an IP address that exists in the IP_WHITELIST, two-step verification is skipped. The IP list is compared to the IP address that is provided in the ratNASIPAddress attribute of the RADIUS request. If a RADIUS request comes in without the ratNASIPAddress attribute, a warning is logged: "IP_WHITE_LIST_WARNING::IP Whitelist is being ignored as the source IP is missing in the RADIUS request NasIpAddress attribute

    Here are some relevant articles as well.

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-advanced#ip-exceptions

    https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-errors

    BR,

    0 comments No comments