none
Azure MFA NPS module - access denied when generating certificate RRS feed

  • Dotaz

  • Hi,

    We have an NPS server with the MFA NPS module running perfectly, to avoid a single point of failure I have built a second NPS server however the MFA NPS module fails to process any MFA requests.

    When executing the New-AzureMfaTenantCertificate command I am presented with an "access is denied" message.  The Powershell session is "run as administrator" and the account logging into MSOnline is a global admin and also the account used to configure this on the first (working) server.  

    Any guidance on how to resolve this is much appreciated.

    pátek 26. června 2020 12:24

Odpovědi

  • Answered my own question.

    When importing the working server's Azure MFA tenant certificate, you also have to grant the Network Service read permissions against the Private Key, this is achieved via 'certlm.msc'.  I saw in the Powershell script it does it via ACL against the private key file located in the MachineKeys folder but this didn't appear to fix the issue at first attempt, hence using the mmc.


    • Upravený J Spencer pátek 26. června 2020 13:24
    • Označen jako odpověď J Spencer pátek 26. června 2020 13:24
    pátek 26. června 2020 13:17

Všechny reakce

  • Answered my own question.

    When importing the working server's Azure MFA tenant certificate, you also have to grant the Network Service read permissions against the Private Key, this is achieved via 'certlm.msc'.  I saw in the Powershell script it does it via ACL against the private key file located in the MachineKeys folder but this didn't appear to fix the issue at first attempt, hence using the mmc.


    • Upravený J Spencer pátek 26. června 2020 13:24
    • Označen jako odpověď J Spencer pátek 26. června 2020 13:24
    pátek 26. června 2020 13:17
  • Hi ,

    Good to hear that you have solved this issue by yourself. In addition, thanks for sharing your solution in the forum as it would be helpful to anyone who encounters similar issues.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    pondělí 29. června 2020 3:39
    Moderátor