locked
RDS with the Azure MFA Plugin..Help! AuthZ Event ID 3 RRS feed

  • Question

  • Hi Everyone,

    We have a 2016 RDS Platform we'd like to start using with Azure MFA.  I've created an extra two NPS servers and installed the powershell plugin for MFA.  Everything is configured as per:

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg

    When attempting to connect, the gateways simply timeout and do not authenticate.  Looking through the NPS logs I'm seeing this:

    NPS Extension for Azure MFA:  CID: 8bacef42-b3ac-49be-872b-99b3eca79302 :Exception in Authentication Ext for User DOMAIN\username :: ErrorCode:: CID :******** ESTS_TOKEN_ERROR Msg:: Verify the client certificate is property enrolled in Azure against your tenant and the server can access URL in Registry STS_URL.Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retreiving token details from request handle: -895352831 Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827for detailed TroubleShooting steps. Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827for detailed TroubleShooting steps.

    I've ran numerous powershell commands to check the certificates are in azure which they are

    for users not yet enabled for MPA I have added this to the registry

    REQUIRE_USER_MATCH = FALSE

    on the gateway servers I'm seeing an Event ID 6274

    The remote RADIUS (Remote Authentication Dial-In User Service) server did not respond.

    Those users are also unable to login to RDS....I've had to revert all settings to restore service

    any ideas?

    Thanks!!



    Monday, October 1, 2018 7:20 AM

Answers

  • Yep, turns out it was a couple of things (neither mentioned in the microsoft install guide).

    1.  The plugin ONLY supports the app or call methods for authentication

    2.  There are two enterprise apps you need to enable within azure

    • Marked as answer by GlenHarrison Monday, October 8, 2018 6:50 AM
    Monday, October 8, 2018 6:50 AM

All replies

  • Hi,

    I would recommend you to post on Azure forum - Azure Community Support - and relate product expert may provide you more suggestion:
    https://azure.microsoft.com/en-us/support/community/

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 2, 2018 8:30 AM
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 4, 2018 7:07 AM
  • Hi,

    Is there any update?

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 8, 2018 3:06 AM
  • Yep, turns out it was a couple of things (neither mentioned in the microsoft install guide).

    1.  The plugin ONLY supports the app or call methods for authentication

    2.  There are two enterprise apps you need to enable within azure

    • Marked as answer by GlenHarrison Monday, October 8, 2018 6:50 AM
    Monday, October 8, 2018 6:50 AM
  • Glen,

    I'm having the exact same issue with our deployment. I've raked through every doc I can find to no avail. My account is already configured to use the Authenticator app, but what enterprise apps did you have to enable?

    Thanks,

    Monday, October 8, 2018 5:11 PM
  • If you go into enterprise apps, filter to Microsoft only and look for Azure.  The two are called something like:

    Azure Multi Factor Client Auth

    Azure Multi Factor Connector

    They both need to be enabled

    Tuesday, October 9, 2018 10:37 AM
  • Fantastic. I appreciate that. Enabled the two apps and wallah. Everything works.

    Thanks again!

      
    Tuesday, October 9, 2018 3:53 PM
  • Super cool, this worked like a charm!

    Very Respectfully Nicholas Buckingham Premier Field Engineer Microsoft Services | Secure Infrastructure | Public Sector Office: +1 (720) 5281880 Mobile: +1 (719) 4934905 nibuckin@microsoft.com

    Tuesday, June 18, 2019 9:06 PM