question

DaveK-9647 avatar image
0 Votes"
DaveK-9647 asked ·

Azure MFA - NPS Extension - No MFA prompt on logon

Hi guys, I'm hoping somebody can help here.

I have a brand new build of an RDS environment hosted in Azure on Server 2019. All RDS roles are on one server and then there's a separate NPS server to handle Azure MFA authentication.

The RDS side of things is looking fine. I've presented a simple collection and can log onto the web server, sign in, and RDP into the collection. Thats the easy bit.

The problem I'm having is integrating Azure MFA into the sign in. I had actually configured this for a previous environment and all went fine, unsure why this setup is different.

I've followed these instruction to the letter but I cannot get the MFA prompt to kick in.

http://microsoftplatform.blogspot.com/2017/02/securing-rd-gateway-with-mfa-using-new.html

The problem is that MFA doesnt kick in and my test account logs in every time, without needing the 2nd factor of authentication.

MFA is definitely enforced on my account and license applied on my O365 account. If I log into the Azure portal from the same desktop I get an MFA prompt at that stage, so MFA appears to be ok. Its just the integration into the RDS environment.

I really would appreciate some help as I'm under a bit of pressure to demo this in the next few days.

azure-ad-multi-factor-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @DaveK-9647 There seems to be some configuration issues with NPS Server configuration. I would suggest you to compare your NPS configuration with the settings mentioned in below sections of this document: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg#configure-nps-components-on-remote-desktop-gateway

  • Configure NPS components on Remote Desktop Gateway

  • Configure NPS on the server where the NPS extension is installed

For debugging you can look into Network Policy and Access Services event log filter on the NPS Server as highlighted below:

8448-capture.jpg


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.


capture.jpg (20.8 KiB)
· 9 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That's the strange thing, even though I've configured the RD-CAPS on the Gateway server to point to the NPS server, the logs you mentioned are completely blank on the NPS server.

0 Votes 0 ·

@DaveK-9647 Try comparing your settings with the document link that I have shared. I suspect some configuration issue with the NPS configuration only.

0 Votes 0 ·
DaveK-9647 avatar image DaveK-9647 amanpreetsingh-msft ·

I've just been through the entire document and the config I've put in looks correct. I have NPS (and gateway) setup exactly as documented in that article.

Any further suggestions?

0 Votes 0 ·
Show more comments
ManuPhilip avatar image
0 Votes"
ManuPhilip answered ·

Hello @DaveK-9647,

One-time bypass applies to MFA server and see it is configured here: https://portal.azure.com/#blade/Microsoft_AAD_IAM/MultifactorAuthenticationMenuBlade/OneTimeBypass/fromProviders/

Thanks,
Manu

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No unfortunately no bypass are setup for any users or groups. If I try to log into the O365 portal or Azure portal (same account, from same device) I get an MFA notification and all works fine. This works consistently. Its only the logon to RDS I'm having trouble with.

0 Votes 0 ·