question

ParshwaAmitkumarShah-5758 avatar image
0 Votes"
ParshwaAmitkumarShah-5758 asked ·

Latency for getting Azure MFA through NPS (Reason Code : 10 The request was discarded because an extension dll crashed or malfunctioned)

I have users login into FortiGate VPN with Azure MFA authentication, the configuration is done using NPS component and it was working fine for couple of weeks today suddenly the users were facing latency of 1 - 2 mins in receiving MFA push and call notification on MS authenticator app, also they receive multiple notification challenges in MS authenticator app by accepting the challenge user is able to login inside.

Ping response between fortigate VPN and Azure NPS server is efficient.

When checked in Event viewer got below message:

User:
Security ID: NULL SID
Account Name: -
Account Domain: -
Fully Qualified Account Name: -

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -

NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -

RADIUS Client:
Client Friendly Name: RD Gateway
Client IP Address: xxx.xxx.xxx.xxx

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: -
Authentication Server: xxxx.xx.xxxxx.com
Authentication Type: -
EAP Type: -
Account Session Identifier: 00000001
Reason Code: 10
Reason: The request was discarded because an extension dll crashed or malfunctioned.

Request to resolve this issue or provide steps to troubleshoot for the same.


azure-ad-connectazure-ad-multi-factor-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak avatar image
0 Votes"
MarileeTurscak answered ·

Hi @ParshwaAmitkumarShah-5758 ,


I've gotten this error for a variety of reasons while using the NPS extension so I'll give several things to try.


It's possible that the request is timing out too soon. In that case, make sure that it's set to at least 60 seconds to give enough time for the request to succeed. 9937-radiustimeout.png


Make sure you have the latest version of the extension installed. Older versions sometimes threw that DLL error. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg#install-the-nps-extension


Make sure that there aren't any duplicate or old certificates on the server.


You can check using:


Get-MsolServicePrincipalCredential -AppPrincipalId "app-principal-id" -ReturnKeyValues 1


Then you can remove duplicates using:


Remove-MsolServicePrincipalCredential -AppPrincipalId "app-principal-id" -KeyIds <enterkeyidhere>


See also the related discussion: https://www.reddit.com/r/AZURE/comments/a0qp5p/azure_mfa_nps_extension_for_rdgateway/


If you're still having this issue feel free to send your event logs to me at AzCommunity@microsoft.com and I can help troubleshoot.


Thanks!


Marilee



radiustimeout.png (234.9 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ParshwaAmitkumarShah-5758 avatar image
0 Votes"
ParshwaAmitkumarShah-5758 answered ·

Thank you @MarileeTurscak for your answer;


I forgot to mention we also observed in taskbar some process known as "com surrogate" was utilizing the 98% CPU on NPS server because of which we killed the process and restarted the NPS server and the issue got resolved. But again today we are facing the same latency in getting the push and call notification today.


As prescribed by you we will install the latest version of NPS extension and make sure there are no duplicate or old certificates on the server.


If the issue still persists we will send the Event logs to you.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ParshwaAmitkumarShah-5758 avatar image
0 Votes"
ParshwaAmitkumarShah-5758 answered ·

Hey @MarileeTurscak


I think the issue is caused due to "com surrogate" process which is taking CPU utilization to 98% and because of which Windows is not able to run any processes.


Can you please provide me a fix how to deal with high CPU utilization caused by "com surrogate" process.


Your help in this is highly recommended.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak avatar image
0 Votes"
MarileeTurscak answered ·

Hi @ParshwaAmitkumarShah-5758 ,


I have seen this happen if there are firewalls in place that run retry services for the RADIUS and over time cause a CPU spike. If the RADIUS auth is retrying frequently (like every 5 or 6 seconds) this can cause the spike.


To isolate the issue, try stopping the firewall service and restarting the MFA service.


(Also, it seems like you have already done this, but make sure that you don't have any expired certificates as I've seen this cause this problem before as well.)


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.