none
NPS Cross Forest authentication

    Pregunta

  • Hi,

    customer has two AD Forests with 2-way forest-wi
    de trust and suffix routing enabled for all suffixes.

    On-premises users from both forests are synced with Azure ADConnect to Azure AD.Users from these two forests with Azure MFA configured and enabled can access SAAS apps with MFA.

    Customer has deployed a NPS Server on ForestA (on the child1.forestA domain) and NPS extension for Azure MFA was installed and configured.

    The customer needs his users (from both forests) to be able to authenticate on a Pulse published apps while performing strong authentication using Azure MFA.


    Issue description :

    - ForestA users succeed to authenticate on the apps (are prompted by the pulse portal and pass the Azure MFA )

    - ForestB users fail this step and are reprompted for authentication (are not even prompted to enter their MFA)

     Event ID : 3 is recorded / Source : AuthZ /  

    NPS extension for Azure MFA: User not found in On Premise Active Directory. Exception retrieving UPN for User::[userXYZ@domainXYZ] Radius::[156] exception ErrorCode::username_canonicalization_error Msg:: User Login name to UPN conversion failed Enter Error_Code @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed Troubleshooting steps.

    Has anyone deployed NPS with extention for Azure MFA in a multi-forest environment ?

    Are there any specific network flow requirements ...?

    Any help would be much appreciated.

    Thanks.


    If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration

    sábado, 12 de mayo de 2018 19:25

Respuestas

  • Hi,

    as we've identified and fixed the issue, allow me to share our experience.

    Summary of the configuration 
    AD ForestA :
    * with child domains 1, 2, 3
    * 2 NPS servers, each configured with a NPS extension for Azure MFA 

    AD ForestB :

    Two way AD Trust between ForestA and ForestB 
    * wide authentication (non selective) 
    * suffix routing enabled

    Issue description
    secondary authentication not even triggered for ForestB users and user gets reprompted to enter credentials
    on the Pulse page 

    what was missing 
    1/ ensure the following network flows from NPS to ForestB
        port 3268  from NPS server(s) to Global Catalog servers of ForestB

    2/ Ensure the following registry entries under "HKLM\Software\Microsoft\AzureMFA" are set like following 
         * LDAP_ALTERNATE_LOGINID_ATTRIBUTE to UserPrincipalName
         * LDAP_FORCE_GLOBAL_CATALOG to      TRUE
         * LDAP_LOOKUP_FORESTS to ForestA.local;ForestB.local   
             the root forest domain names separated by ';' 
    3/ In the end, we didn't need to register any of the NPS servers into none of the domains
     
    Regards,
    Yassine.


    If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration

    jueves, 7 de junio de 2018 13:40

Todas las respuestas

  • Hi,

    Thanks for your question.

    Please try the following steps to see if it could be of help.

    1 Use the Phone Call Authentication method with the user of B forest to logon to Office 365 or Azure. It could sign shat if the user from B forest have enrolled in Azure AD.

    2 Please check the NPS logs that if it would proceed and trigger to authenticate the user with AD database.

    3 Please also check the Event Viewer for more error message so that we could find more clue.

    Hope this helps. If you have any questions and concerns, please feel free to let me know.

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    lunes, 14 de mayo de 2018 10:39
  • Hi Michael,

    thank you for your reply,

    I forgot to mention two things.
    
    1/ the NPS server is actually configured to forward the connection requests to remote RADIUS Proxy
    2/ the user from forestB is already 'MFA enabled' and I validated that it is working in normal scenarios
    (accessing the portal.office.com or other app from the browser from outside the company's network
      promps him fine with MFA and he's able to connect)

    So the issue is only when that forest B user(s) try to access applications
    published by pulse portal that's using the NPS server which has installed the NPS extension for Azure MFA.

    The same error as I mentioned in my first message plus also the following Audit failure is captured  :
    Reason : An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request
    Reason Code : 21 

    Regards,  
    Yassine.

    

    If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration

    lunes, 14 de mayo de 2018 14:02
  • Hi,

    as we've identified and fixed the issue, allow me to share our experience.

    Summary of the configuration 
    AD ForestA :
    * with child domains 1, 2, 3
    * 2 NPS servers, each configured with a NPS extension for Azure MFA 

    AD ForestB :

    Two way AD Trust between ForestA and ForestB 
    * wide authentication (non selective) 
    * suffix routing enabled

    Issue description
    secondary authentication not even triggered for ForestB users and user gets reprompted to enter credentials
    on the Pulse page 

    what was missing 
    1/ ensure the following network flows from NPS to ForestB
        port 3268  from NPS server(s) to Global Catalog servers of ForestB

    2/ Ensure the following registry entries under "HKLM\Software\Microsoft\AzureMFA" are set like following 
         * LDAP_ALTERNATE_LOGINID_ATTRIBUTE to UserPrincipalName
         * LDAP_FORCE_GLOBAL_CATALOG to      TRUE
         * LDAP_LOOKUP_FORESTS to ForestA.local;ForestB.local   
             the root forest domain names separated by ';' 
    3/ In the end, we didn't need to register any of the NPS servers into none of the domains
     
    Regards,
    Yassine.


    If the provided answer is helpful, please click 'Propose as Answer' Managing Office 365, Identities and Requirements Windows Server Virtualization, Configuration

    jueves, 7 de junio de 2018 13:40
  • Hi,

    Good to hear that you have solved this issue by yourself. Thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    viernes, 8 de junio de 2018 13:01