question

JKellner-0477 avatar image
0 Votes"
JKellner-0477 asked ·

Azure MFA not responding to NPS requests

I've been trying unsuccessfully to buy tech support from Microsoft for over a week, so I figured I'd try here instead.

I have followed the guide at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg to set up a Remote Desktop Gateway using Azure MFA. All the components appear to be working, but when I try to log in with MFA, it just sits there for several seconds then fails without prompting for MFA.
Logging in without MFA works.
I have run the health check script at https://gallery.technet.microsoft.com/Azure-MFA-NPS-Extension-648de6bb and it gives a clean bill of health.
The final message in the AuthZOptCh log is
"NPS extension for Azure MFA: CID: <string> : Challenge requested in Authentication Ext for User CONTOSO\Alice with state <string>"
But there is no subsequent entry, and the MFA challenge never happens.
What is going on? Why is Azure not issuing the MFA challenge?

azure-active-directoryazure-ad-connectazure-ad-multi-factor-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

MarileeTurscak avatar image
0 Votes"
MarileeTurscak answered ·

Hi @JKellner-0477 ,

This has happened to me with the NPS extension before. I eventually found the trace logs and had a DLL error and was able to resolve this by reconfiguring some of my settings in the extension, enabling Azure Multi-Factor Client Auth (which was disabled in my tenant), and downloading the most recent version of the NPSExtensionInstaller. I also had multiple certificates configured and had to remove the extra ones. (My setup had a lot of things missing, which probably won't be the case for you.)

Some things that help:

  1. Check the Auth logs in the event viewer.

  2. Check the MFA server logs
    C:\Program Files\Multi-Factor Authentication Server\Logs.

  3. Check the MFA logs from the Azure portal itself - MFA Portal > Usage > User Details

  4. Enable MFA Client Auth if it's disabled.
    (Screenshot won't attach but it's under "All Applications.")


If you're having trouble getting a support case created I can also enable one for you if you send your subscription ID to AzCommunity@microsoft.com





·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.