NPS Cross Forest authentication


  • Hi,

    customer has two AD Forests with 2-way forest-wi
    de trust and suffix routing enabled for all suffixes.

    On-premises users from both forests are synced with Azure ADConnect to Azure AD.Users from these two forests with Azure MFA configured and enabled can access SAAS apps with MFA.

    Customer has deployed a NPS Server on ForestA (on the child1.forestA domain) and NPS extension for Azure MFA was installed and configured.

    The customer needs his users (from both forests) to be able to authenticate on a Pulse published apps while performing strong authentication using Azure MFA.

    Issue description :

    - ForestA users succeed to authenticate on the apps (are prompted by the pulse portal and pass the Azure MFA )

    - ForestB users fail this step and are reprompted for authentication (are not even prompted to enter their MFA)

     Event ID : 3 is recorded / Source : AuthZ /  

    NPS extension for Azure MFA: User not found in On Premise Active Directory. Exception retrieving UPN for User::[userXYZ@domainXYZ] Radius::[156] exception ErrorCode::username_canonicalization_error Msg:: User Login name to UPN conversion failed Enter Error_Code @ for detailed Troubleshooting steps.

    Has anyone deployed NPS with extention for Azure MFA in a multi-forest environment ?

    Are there any specific network flow requirements ...?

    Any help would be much appreciated.


    If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration

    Saturday, May 12, 2018 7:25 PM

All replies

  • Hi,

    Thanks for your question.

    Please try the following steps to see if it could be of help.

    1 Use the Phone Call Authentication method with the user of B forest to logon to Office 365 or Azure. It could sign shat if the user from B forest have enrolled in Azure AD.

    2 Please check the NPS logs that if it would proceed and trigger to authenticate the user with AD database.

    3 Please also check the Event Viewer for more error message so that we could find more clue.

    Hope this helps. If you have any questions and concerns, please feel free to let me know.

    Have a nice day!

    Best regards,


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Monday, May 14, 2018 10:39 AM
  • Hi Michael,

    thank you for your reply,

    I forgot to mention two things.
    1/ the NPS server is actually configured to forward the connection requests to remote RADIUS Proxy
    2/ the user from forestB is already 'MFA enabled' and I validated that it is working in normal scenarios
    (accessing the or other app from the browser from outside the company's network
      promps him fine with MFA and he's able to connect)

    So the issue is only when that forest B user(s) try to access applications
    published by pulse portal that's using the NPS server which has installed the NPS extension for Azure MFA.

    The same error as I mentioned in my first message plus also the following Audit failure is captured  :
    Reason : An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request
    Reason Code : 21 



    If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration

    Monday, May 14, 2018 2:02 PM