none
MFA Extension - one problematic user only RRS feed

  • Question

  • Dear all,

    I´ve got settings to require MFA for VPN users. Works well, but one user could not get in, even others can. Getting following error on it. Credentials are valid, NPS Extension just rejects it, better say, NPS Ext.got RejectState, so did not forward to Azure MFA service. Same error message pops up even I put invalid credentials in. Any clue about? Tried to use SAM, UPN, does not work, invalid credentials, does not work.

    Thanks in advance.

    Log Name:      AuthZOptCh
    Source:        Microsoft-AzureMfa-AuthZ
    Date:          10/11/2017 8:50:49 AM
    Event ID:      1
    Task Category: None
    Level:         Information
    Keywords:      
    User:          NETWORK SERVICE
    Computer:      NPS-EXT-02.myonprem.local
    Description:
    NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User user.name@mypublicdomainname.suffix with response state AccessReject, ignoring request.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-AzureMfa-AuthZ" Guid="{F467B6B9-E970-4569-9798-9F452BBAC055}" />
        <EventID>1</EventID>
        <Version>0</Version>
        <Level>4</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-10-11T06:50:49.755581400Z" />
        <EventRecordID>270</EventRecordID>
        <Correlation />
        <Execution ProcessID="6256" ThreadID="1456" />
        <Channel>AuthZOptCh</Channel>
        <Computer>NPS-EXT-02.myonprem.local</Computer>
        <Security UserID="S-1-5-20666" />
      </System>
      <EventData>
        <Data Name="msg">NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User user.name@mypublicdomainname.suffix with response state AccessReject, ignoring request.</Data>
      </EventData>
    </Event>


    Petr Weiner



    • Edited by Petr Weiner Wednesday, October 11, 2017 7:24 AM
    Wednesday, October 11, 2017 7:22 AM

All replies

  • Dear all, solved, as been said only user based-looks someone got change setting on DIAL-IN tab on Network Access Permissions in AD where user has DENY set. Changed to Control access through NPS Network Policy and it works.

    Petr Weiner

    Wednesday, October 11, 2017 8:10 AM
  • Hi ,

    Thanks for your posting here and sharing the resolution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 12, 2017 7:03 AM
    Moderator
  • Petr, thanks for the tip...I have been struggling with a single user now for a few days...wasn't until I came across your post that I resolved it.  Would have never thought of checking there only because I never touch that setting in AD.

    Thanks-again

    Monday, February 12, 2018 4:42 PM
  • I was experiencing the exact same with a handful of users and was unable to get anywhere with Citrix and Microsoft support.  Thanks for posting this.

    Scott

    Thursday, November 22, 2018 4:16 PM