Forum Discussion

busted-it-guy's avatar
busted-it-guy
Copper Contributor
Apr 13, 2022

NPS+Azure NPS Extension for Multifactor working for VPN but not for RDS

Getting an odd issue and after going scorched on my configuration, I'm completely stumped.

I have a RDS gateway server in the DMZ on 443, a Remote Desktop session/broker on another server in the DMZ. A Multifactor server (now two for troubleshooting) in the LAN. All 4 servers can talk to each other since, for testing purposes, I have allowed ALL/Everything to traverse the DMZ to LAN for all 4 of these servers in my firewall

I set up the VPN per the recommendations online. My VPN server is pointed to the NPS server #1. Before I installed the Azure NPS extension on that server, I tested with regular NPS policies and I was able to authenticate without multifactor. So I installed the Azure NPS extension and tested again. I was able to multifactor. wonderful! (as a side note, half of my IT staff could not because they were using 4 digit verification which my vpn solution does not have an input field for MFA codes, but that is a whole different issue)

Skip to setting up the RDS gateway, with a separate session server, certs, to CAP through central server (NPS Server #1). Tried to connect.. I received the authentication request.. then no connection. I get the "I'm not allowed" type messages which boiled down to the RDS gateway entry:

The user "{MyUsername}", on client computer "{MyIpAddress}", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".

I then go to my NPS server handling the authentication. I know for a fact that the extension is getting out to Azure and Azure is doing MFA correctly as I have to accept. I see nothing regarding authentication in the Event Viewer. only in the NPS log file in system32 which gives me no real good info.

Without boring anyone with the hoops I had to jump through to even log the issues, my nps was logging some items but not audit failures/successes even though I have those options checked. To fix it I had to run the command

auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

NOW I am getting logs in NPS, and they are indicating the following:

Network Policy Server discarded the request for a user.

 

Contact the Network Policy Server administrator for more information.

 

User:

^(Security ID:			NULL SID)

^(Account Name:			domain\myname)

^(Account Domain:			-)

^(Fully Qualified Account Name:	-)

 

Client Machine:

^(Security ID:			NULL SID)

^(Account Name:			-)

^(Fully Qualified Account Name:	-)

^(Called Station Identifier:		UserAuthType:PW)

^(Calling Station Identifier:		-)

 

NAS:

^(NAS IPv4 Address:		-)

^(NAS IPv6 Address:		-)

^(NAS Identifier:			-)

^(NAS Port-Type:			Virtual)

^(NAS Port:			-)

 

RADIUS Client:

^(Client Friendly Name:		{RDS GATEWAY IP})

^(Client IP Address:		{RDS Gateway IP})

 

Authentication Details:

^(Connection Request Policy Name:	Use Windows authentication for all users)

^(Network Policy Name:		-)

^(Authentication Provider:		<none>)

^(Authentication Server:	  {FQDN of NPS server})

^(Authentication Type:		-)

^(EAP Type:			-)

^(Account Session Identifier:		-)

^(Reason Code:			9)

^(Reason:				The request was discarded by a third-party extension DLL file.)

 

I see several recommendations on my search that point to "uninstall/reinstall" which I have, or "test without the extension" which I do and it works without the extension. I also see "user is not licensed for MFA" which not only am I a Azure AD premium 1 license holder, several people are able to successfully MFA authenticate their VPN via the exact same NPS server. The issue that sets mine apart from the others online is I am seeing no errors in the AzureMFA entries in the event viewer. With the above mentioned recommendations, there was a corresponding error in the Event viewer under Applications\Microsoft\AzureMFA\AuthZ\*>. It could be cert based, user based, but there was an error.

I am seeing ALL successes (Event ID 1) during every attempt to multifactor through RDS:

NPS Extension for Azure MFA: CID: {CID string} : Access Accepted for user {My Azure UPN} with Azure MFA response: Success and message: session {Session ID string}

Why would VPN have no issues performing NPS authentication with this extension, but multifactor via the same NPS server for a RDS environment does not at all? Azure auth events think "success" but the NPS server says "I discarded that request since the extension because the NPA extension "third-party extension DLL file" did not allow it"

Resources