none
Event ID: 4625 - MFA to RDP Windows 2016 Server RRS feed

  • Question

  • We are trying to setup MFA for RDP to Servers.  Currently we have one CACard which is not able to connect and throws the following:

    Log Name:      Security Source:        Microsoft-Windows-Security-Auditing Date:          3/8/2019 12:16:50 PM Event ID:      4625 Task Category: Logon Level:         Information Keywords:      Audit Failure User:          N/A Computer:     dc01.local Description:

    An account failed to log on.

    Subject:     Security ID:        SYSTEM     

    Account Name:        DC01$     Account

    Domain:       DOM      Logon ID:        0x3E7

    Logon Type:            10

    Account For Which Logon Failed:     Security ID:        NULL SID     Account

    Name:        2040204687121000@XXX   Account Domain:        

    Failure Information:     

    Failure Reason:        Unknown user name or bad password.   

     Status:            0xC000006D     

    Sub Status:        0xC0000064

    Process Information:     Caller Process ID:    0x5b0     

    Caller Process Name:    C:\Windows\System32\svchost.exe

    Network Information:     Workstation Name:    dc01     Source Network

    Address:    100.10.103.23     Source Port:        0

    Detailed Authentication Information:     Logon Process:        User32      Authentication

    Package:    Negotiate     Transited Services:    -     

    Package Name (NTLM only):    -     Key Length:        0

    The admins can successfully RDP into the DC with their regular AD accounts.  It fails when they use the MFA Cacard.

    PS: I created a test environment and it works fine with the CACard in the test.

    Something in the Prod which only has 1 DC is wrong.

    Any thoughts?

    Thank you in advance.

    Friday, March 8, 2019 7:02 PM

Answers

  • Today I was able to resolve the issue.  It is embarrasing!

    The issue was caused by a typo in the User Logon Name: 2040204687121000@xxx.

    Thank you ALL for assisting me through this learning path.

    • Marked as answer by WildPacket Monday, March 18, 2019 3:35 PM
    Monday, March 18, 2019 2:35 PM

All replies

  • Often, Remote Desktop (RD) Gateway uses the local Network Policy Services (NPS) to authenticate users. This article describes how to route RADIUS requests out from the Remote Desktop Gateway (through the local NPS) to the Multi-Factor Authentication Server. The combination of Azure MFA and RD Gateway means that your users can access their work environments from anywhere while performing strong authentication.

    Since Windows Authentication for terminal services is not supported for Server 2012 R2, use RD Gateway and RADIUS to integrate with MFA Server.

    Install the Azure Multi-Factor Authentication Server on a separate server, which proxies the RADIUS request back to the NPS on the Remote Desktop Gateway Server. After NPS validates the username and password, it returns a response to the Multi-Factor Authentication Server. Then, the MFA Server performs the second factor of authentication and returns a result to the gateway.

    Prerequisites

     Note

    This article should be used with MFA Server deployments only, not Azure MFA (Cloud-based).

    Configure the Remote Desktop Gateway

    Configure the RD Gateway to send RADIUS authentication to an Azure Multi-Factor Authentication Server.

    1. In RD Gateway Manager, right-click the server name and select Properties.
    2. Go to the RD CAP Store tab and select Central server running NPS.
    3. Add one or more Azure Multi-Factor Authentication Servers as RADIUS servers by entering the name or IP address of each server.
    4. Create a shared secret for each server.

    Configure NPS

    The RD Gateway uses NPS to send the RADIUS request to Azure Multi-Factor Authentication. To configure NPS, <g class="gr_ gr_108 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-ins replaceWithoutSep" data-gr-id="108" id="108">first</g> you change the timeout settings to prevent the RD Gateway from timing out before the two-step verification has completed. Then, you update NPS to receive RADIUS authentications from your MFA Server. Use the following procedure to configure NPS:

    Modify the timeout policy

    1. In NPS, open the RADIUS Clients and Server menu in the left column and select Remote RADIUS Server Groups.
    2. Select the TS GATEWAY SERVER GROUP.
    3. Go to the Load Balancing tab.
    4. Change both the Number of seconds without response before <g class="gr_ gr_101 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="101" id="101">request</g> is considered dropped and the Number of seconds between requests when <g class="gr_ gr_102 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins doubleReplace replaceWithoutSep" data-gr-id="102" id="102">server</g> is identified as unavailable to between 30 and 60 seconds. (If you find that the server still times out during authentication, you can come back here and increase the number of seconds.)
    5. Go to the Authentication/Account tab and check that the RADIUS ports specified <g class="gr_ gr_103 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="103" id="103">match</g> the ports that the Multi-Factor Authentication Server is listening on.

    Prepare NPS to receive authentications from the MFA Server

    1. Right-click RADIUS Clients under RADIUS Clients and Servers in the left column and select New.
    2. Add the Azure Multi-Factor Authentication Server as a RADIUS client. Choose a Friendly name and specify a shared secret.
    3. Open the Policies menu in the left column and select Connection Request Policies. You should see a policy called TS GATEWAY AUTHORIZATION POLICY that was created when RD Gateway was configured. This policy forwards RADIUS requests to the Multi-Factor Authentication Server.
    4. Right-click TS GATEWAY AUTHORIZATION POLICY and select Duplicate Policy.
    5. Open the new policy and go to the Conditions tab.
    6. Add a condition that matches the Client Friendly Name with the Friendly name set in step 2 for the Azure Multi-Factor Authentication Server RADIUS client.
    7. Go to the Settings tab and select Authentication.
    8. Change the Authentication Provider to Authenticate requests on this server. This policy ensures that when NPS receives a RADIUS request from the Azure MFA Server, the authentication occurs locally instead of sending a RADIUS request back to the Azure Multi-Factor Authentication Server, which would result in a loop condition.
    9. To prevent a loop condition, make sure that the new policy is ordered ABOVE the original policy in the Connection Request Policies pane.

    Configure Azure Multi-Factor Authentication

    The Azure Multi-Factor Authentication Server is configured as a RADIUS proxy between RD Gateway and NPS. It should be installed on a domain-joined server that is separate from the RD Gateway server. Use the following procedure to configure the Azure Multi-Factor Authentication Server.

    1. Open the Azure Multi-Factor Authentication Server and select the RADIUS Authentication icon.
    2. Check the Enable RADIUS authentication checkbox.
    3. On the Clients tab, ensure the ports match what is configured in NPS then select Add.
    4. Add the RD Gateway server IP address, application name (optional), and a shared secret. The shared secret needs to be the same on both the Azure Multi-Factor Authentication Server and RD Gateway.
    5. Go to the Target tab and select the RADIUS server(s) radio button.
    6. Select Add and enter the IP address, shared secret, and ports of the NPS server. Unless using a central NPS, the RADIUS client and RADIUS target are the same. The shared secret must match the one <g class="gr_ gr_92 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="92" id="92">setup</g> in the RADIUS client section of the NPS server.

      https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-rdg
    Friday, March 8, 2019 7:10 PM
  • Thank you Avital.

    The above works like a charm in my test environment like I stated above.

    Friday, March 8, 2019 7:16 PM
  • Hi,

    Thanks for your post in our forum.

    Please refer to the following link to see if it helps.

    4625(F): An account failed to log on.

    Hope the above information can help you.

    Thanks again for your understanding and support.

    Best Regards,

    Otto 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 11, 2019 2:10 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Otto Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 14, 2019 7:35 AM
  • Thank you for follow up Otto.  Issue still not resolved.  



    • Edited by WildPacket Monday, March 18, 2019 2:33 PM
    Sunday, March 17, 2019 3:05 PM
  • Today I was able to resolve the issue.  It is embarrasing!

    The issue was caused by a typo in the User Logon Name: 2040204687121000@xxx.

    Thank you ALL for assisting me through this learning path.

    • Marked as answer by WildPacket Monday, March 18, 2019 3:35 PM
    Monday, March 18, 2019 2:35 PM
  • Hi,

    Thanks for your reply.

    I am glad to hear that the issue has been resolved.

    If you have any questions or requirements, please feel free to contact us.

    Thanks again for your understanding and support.

    Best Regards,

    Otto


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, March 19, 2019 1:35 AM