NPS Cross Forest authentication RRS feed

  • Question

  • Hi,

    customer has two AD Forests with 2-way forest-wi
    de trust and suffix routing enabled for all suffixes.

    On-premises users from both forests are synced with Azure ADConnect to Azure AD.Users from these two forests with Azure MFA configured and enabled can access SAAS apps with MFA.

    Customer has deployed a NPS Server on ForestA (on the child1.forestA domain) and NPS extension for Azure MFA was installed and configured.

    The customer needs his users (from both forests) to be able to authenticate on a Pulse published apps while performing strong authentication using Azure MFA.

    Issue description :

    - ForestA users succeed to authenticate on the apps (are prompted by the pulse portal and pass the Azure MFA )

    - ForestB users fail this step and are reprompted for authentication (are not even prompted to enter their MFA)

     Event ID : 3 is recorded / Source : AuthZ /  

    NPS extension for Azure MFA: User not found in On Premise Active Directory. Exception retrieving UPN for User::[userXYZ@domainXYZ] Radius::[156] exception ErrorCode::username_canonicalization_error Msg:: User Login name to UPN conversion failed Enter Error_Code @ for detailed Troubleshooting steps.

    Has anyone deployed NPS with extention for Azure MFA in a multi-forest environment ?

    Are there any specific network flow requirements ...?

    Any help would be much appreciated.



    If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration

    Friday, May 4, 2018 8:14 AM

All replies