NPS Extension failing: ErrorCode:: ESTS_TOKEN_ERROR

Question

_{Monday, November 5, 2018 4:01 PM}

Hi,

I keep recieving the following errorcode when trying to authenticate on RemoteDesktop Gateway with NPS extension using Azure MFA. I have added a trial AAD P1 to my user account and enabled MFA (Mobile App). Testing by login in with this user and all works fine. The error i receive is:

NPS Extension for Azure MFA:  CID: ********** :Exception in Authentication Ext for User *****\******* :: ErrorCode:: CID :************ ESTS_TOKEN_ERROR Msg:: Verify the client certificate is property enrolled in Azure against your tenant and the server can access URL in Registry STS_URL.Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retreiving token details from request handle: -895352831 Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827for detailed TroubleShooting steps. Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827for detailed TroubleShooting steps.

I tried using the following page for troubleshooting but everything seems to be working properly: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#troubleshooting

There are not many solutions to this error. I build all of this in my Azure MSDN environment to test. Could that be the issue?

All replies (4)

_{Monday, November 5, 2018 6:20 PM}

When there is a certificate error like this, it often occurs if you have more than one certificate installed on the machine. Please ensure that you have the correct certificate installed on the NPS server and that you remove any unnecessary duplicates that can cause this issue.

Run the following commands:

Get-MsolServicePrincipalCredential -AppPrincipalId "enter app principal id number"
 -ReturnKeyValues 1

Remove-MsolServicePrincipalCredential -AppPrincipalId "enter
 app principal id number" -KeyIds 72cc35ef-af6d-404a-8d81-0044030c2994 

Go through and remove any duplicates and then reinstall the correct certificate on the machine.

A few other things to check:

1. Please ensure you are only using either authenticator app MFA or phone call MFA, as text message will not work for this.

2. Please check the logs on both the NPS and the RD Gateway machine to verify the authentication stage where this error occurs. 

3. Ensure that you are using the version of the NPS extension installer referred to in this guide. This is the NpsExtnForAzureMfaInstaller.exe 

Some of the other guides use a different version of the installer that can cause some corruption errors. 

---

_{Tuesday, November 6, 2018 12:27 PM}

Thanks for your advice!

I did remove all credentials and started the wizard again, but still recieve the same error.

1. I am using MFA App for default. This is confirmed by logging into portal.azure.com directly with this user.

2. I can see that the NPS server is forwarding the request:

Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
Security ID: *****\user1
Account Name: *****\user1
Account Domain: *****
Fully Qualified Account Name: *****.**/Company/Users/user1

Client Machine:
Security ID: NULL SID
Account Name: *****
Fully Qualified Account Name: -
Called Station Identifier: UserAuthType:PW
Calling Station Identifier: -

NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -

RADIUS Client:
Client Friendly Name: Gateway
Client IP Address: 10.0.1.5

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: RDG_CAP
Authentication Provider: Windows
Authentication Server: *****
Authentication Type: Unauthenticated
EAP Type: -
Account Session Identifier: -
Reason Code: 9
Reason: The request was discarded by a third-party extension DLL file.

The other events on the NPS server are:

NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended.This is not an error.

NPS Extension for Azure MFA:  CID: ********** :Exception in Authentication Ext for User *****\******* :: ErrorCode:: CID :************ ESTS_TOKEN_ERROR Msg:: Verify the client certificate is property enrolled in Azure against your tenant and the server can access URL in Registry STS_URL.Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retreiving token details from request handle: -895352831 Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827for detailed TroubleShooting steps. Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827for detailed TroubleShooting steps.

3. I installed the latest version of NPS extension. I installed it 2 days ago.

Any other suggestions?

---

_{Sunday, November 24, 2019 1:53 AM}

Did any one Ever find a solution to this Problem?   Here 2019 November still default install does the same thing, so some where in the Guide they must be missing a crucial piece of the puzzle to install this.

What is that missing step and how do we get past this error.

Also mine keeps saying I dont have P1 license and we do.

---

_{Sunday, November 24, 2019 2:07 AM}

Another Question, due to so many Attempts to get this working I have like 30 Certificates in Azure now how do you Delete those ?