Getting an odd issue and after going scorched on my configuration, I'm completely stumped.
I have a RDS gateway server in the DMZ on 443, a Remote Desktop session/broker on another server in the DMZ. A Multifactor server (now two for troubleshooting) in the LAN. All 4 servers can talk to each other since, for testing purposes, I have allowed ALL/Everything to traverse the DMZ to LAN for all 4 of these servers in my firewall
I set up the VPN per the recommendations online. My VPN server is pointed to the NPS server #1. Before I installed the Azure NPS extension on that server, I tested with regular NPS policies and I was able to authenticate without multifactor. So I installed the Azure NPS extension and tested again. I was able to multifactor. wonderful! (as a side note, half of my IT staff could not because they were using 4 digit verification which my vpn solution does not have an input field for MFA codes, but that is a whole different issue)
Skip to setting up the RDS gateway, with a separate session server, certs, to CAP through central server (NPS Server #1). Tried to connect.. I received the authentication request.. then no connection. I get the "I'm not allowed" type messages which boiled down to the RDS gateway entry:
The user "{MyUsername}", on client computer "{MyIpAddress}", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: "NTLM" and connection protocol used: "HTTP". The following error occurred: "23003".
I then go to my NPS server handling the authentication. I know for a fact that the extension is getting out to Azure and Azure is doing MFA correctly as I have to accept. I see nothing regarding authentication in the Event Viewer. only in the NPS log file in system32 which gives me no real good info.
Without boring anyone with the hoops I had to jump through to even log the issues, my nps was logging some items but not audit failures/successes even though I have those options checked. To fix it I had to run the command
auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
NOW I am getting logs in NPS, and they are indicating the following:
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
User:
^(Security ID: NULL SID)
^(Account Name: domain\myname)
^(Account Domain: -)
^(Fully Qualified Account Name: -)
Client Machine:
^(Security ID: NULL SID)
^(Account Name: -)
^(Fully Qualified Account Name: -)
^(Called Station Identifier: UserAuthType:PW)
^(Calling Station Identifier: -)
NAS:
^(NAS IPv4 Address: -)
^(NAS IPv6 Address: -)
^(NAS Identifier: -)
^(NAS Port-Type: Virtual)
^(NAS Port: -)
RADIUS Client:
^(Client Friendly Name: {RDS GATEWAY IP})
^(Client IP Address: {RDS Gateway IP})
Authentication Details:
^(Connection Request Policy Name: Use Windows authentication for all users)
^(Network Policy Name: -)
^(Authentication Provider: <none>)
^(Authentication Server: {FQDN of NPS server})
^(Authentication Type: -)
^(EAP Type: -)
^(Account Session Identifier: -)
^(Reason Code: 9)
^(Reason: The request was discarded by a third-party extension DLL file.)
I see several recommendations on my search that point to "uninstall/reinstall" which I have, or "test without the extension" which I do and it works without the extension. I also see "user is not licensed for MFA" which not only am I a Azure AD premium 1 license holder, several people are able to successfully MFA authenticate their VPN via the exact same NPS server. The issue that sets mine apart from the others online is I am seeing no errors in the AzureMFA entries in the event viewer. With the above mentioned recommendations, there was a corresponding error in the Event viewer under Applications\Microsoft\AzureMFA\AuthZ\*>. It could be cert based, user based, but there was an error.
I am seeing ALL successes (Event ID 1) during every attempt to multifactor through RDS:
NPS Extension for Azure MFA: CID: {CID string} : Access Accepted for user {My Azure UPN} with Azure MFA response: Success and message: session {Session ID string}
Why would VPN have no issues performing NPS authentication with this extension, but multifactor via the same NPS server for a RDS environment does not at all? Azure auth events think "success" but the NPS server says "I discarded that request since the extension because the NPA extension "third-party extension DLL file" did not allow it"
