NPS fails to find user in AD when user has logged in to server itself

%3CLINGO-SUB%20id%3D%22lingo-sub-1511456%22%20slang%3D%22en-US%22%3ENPS%20fails%20to%20find%20user%20in%20AD%20when%20user%20has%20logged%20in%20to%20server%20itself%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1511456%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20successfully%20implemented%20NPS%20with%20the%20AzureMFA%20extension%20to%20send%20an%20MFA%20to%20remote%20workers%20logging%20in%20to%20a%20Netscaler.%20Now%20we%20are%20running%20into%20an%20issue%20that%20all%20MFA%20request%20are%20processed%20as%20they%20should%2C%20exept%20for%20the%20accounts%20which%20have%20logged%20in%20interactively%20to%20the%20NPS%20servers%20themselves.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20that%20accounts%2C%20the%20only%20way%20to%20login%20to%20the%20netscalers%20is%20to%20preceed%20the%20username%20with%20the%20pre-2000%20domain%20name%2C%20for%20example%20%3CSTRONG%3Efabrikam%5Cusername%3C%2FSTRONG%3E.%20Where%20all%20other%20users%20can%20use%20%3CSTRONG%3Eusername.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20eventlog%20throws%20the%20error%20shown%20below%20when%20an%20account%20that%20cannot%20authenticate%20logs%20in%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENPS%20Extension%20for%20Azure%20MFA%3A%20User%20not%20found%20in%20On%20Premise%20Active%20Directory.%20Exception%20retreiving%20UPN%20for%20User%3A%3A%5Busername%5D%20RadiusId%3A%3A%5B101%5D%20exception%20ErrorCode%3A%3A%20ALTERNATE_LOGINID_ERROR%20Msg%3A%3A%20Error%3A%20Alternate%20LoginId%20lookup%20failed%20for%20userId%3Dusername%2CuserObjectSid%3D%3CHIDDEN%3E%20Enter%20ERROR_CODE%20%40%20%3CA%20href%3D%22https%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D846827%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgo.microsoft.com%2Ffwlink%2F%3Flinkid%3D846827%3C%2FA%3E%20for%20detailed%20troubleshooting%20steps.%3C%2FHIDDEN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EReading%20through%20the%20MS%20article%2C%20we%20tried%20to%20add%20the%20LDAP_ALTERNATE_LOGINID_ATTRIBUTE%20with%20the%20value%20userPrincipalName%2C%20LDAP_FORCE_GLOBAL_CATALOG%20with%20value%20TRUE%20and%20LDAP_LOOKUP_FOREST%20with%20the%20primare%20UPN%20suffix.%20(NPS%20servers%20are%20in%20the%20same%20forest%20as%20the%20domain%20controllers.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUnfortunately%20this%20doesn't%20solve%20the%20issue.%20It%20looks%20like%20NPS%20looks%20in%20some%20cached%20LSASS%20or%20SAM%20database%20and%20tries%20to%20match%20the%20user%20to%20that.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnybody%20with%20the%20same%20issue%20here%3F%20Or%20better%2C%20a%20solution%3F%20This%20is%20driving%20us%20nuts!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ERen%C3%A9%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1511456%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
New Contributor

Hi,

 

We successfully implemented NPS with the AzureMFA extension to send an MFA to remote workers logging in to a Netscaler. Now we are running into an issue that all MFA request are processed as they should, exept for the accounts which have logged in interactively to the NPS servers themselves.

 

For that accounts, the only way to login to the netscalers is to preceed the username with the pre-2000 domain name, for example fabrikam\username. Where all other users can use username.

 

The eventlog throws the error shown below when an account that cannot authenticate logs in:

 

NPS Extension for Azure MFA: User not found in On Premise Active Directory. Exception retreiving UPN for User::[username] RadiusId::[101] exception ErrorCode:: ALTERNATE_LOGINID_ERROR Msg:: Error: Alternate LoginId lookup failed for userId=username,userObjectSid=<hidden> Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed troubleshooting steps.

 

Reading through the MS article, we tried to add the LDAP_ALTERNATE_LOGINID_ATTRIBUTE with the value userPrincipalName, LDAP_FORCE_GLOBAL_CATALOG with value TRUE and LDAP_LOOKUP_FOREST with the primare UPN suffix. (NPS servers are in the same forest as the domain controllers.)

 

Unfortunately this doesn't solve the issue. It looks like NPS looks in some cached LSASS or SAM database and tries to match the user to that.

 

Anybody with the same issue here? Or better, a solution? This is driving us nuts!

 

Regards,

René

0 Replies