none
Azure MFA NPS module - access denied when generating certificate RRS feed

  • Question

  • Hi,

    We have an NPS server with the MFA NPS module running perfectly, to avoid a single point of failure I have built a second NPS server however the MFA NPS module fails to process any MFA requests.

    When executing the New-AzureMfaTenantCertificate command I am presented with an "access is denied" message.  The Powershell session is "run as administrator" and the account logging into MSOnline is a global admin and also the account used to configure this on the first (working) server.  

    Any guidance on how to resolve this is much appreciated.

    Friday, June 26, 2020 12:24 PM

Answers

  • Answered my own question.

    When importing the working server's Azure MFA tenant certificate, you also have to grant the Network Service read permissions against the Private Key, this is achieved via 'certlm.msc'.  I saw in the Powershell script it does it via ACL against the private key file located in the MachineKeys folder but this didn't appear to fix the issue at first attempt, hence using the mmc.


    • Edited by J Spencer Friday, June 26, 2020 1:24 PM
    • Marked as answer by J Spencer Friday, June 26, 2020 1:24 PM
    Friday, June 26, 2020 1:17 PM

All replies

  • Answered my own question.

    When importing the working server's Azure MFA tenant certificate, you also have to grant the Network Service read permissions against the Private Key, this is achieved via 'certlm.msc'.  I saw in the Powershell script it does it via ACL against the private key file located in the MachineKeys folder but this didn't appear to fix the issue at first attempt, hence using the mmc.


    • Edited by J Spencer Friday, June 26, 2020 1:24 PM
    • Marked as answer by J Spencer Friday, June 26, 2020 1:24 PM
    Friday, June 26, 2020 1:17 PM
  • Hi ,

    Good to hear that you have solved this issue by yourself. In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Monday, June 29, 2020 3:39 AM
    Moderator