Troubleshooting NPS extension for Azure Multi-Factor Authentication

I’m sure you are familiar with following official documentation how to use your existing NPS infrastructure with Azure Multi-Factor Authentication. 

And the following one is proving detailed steps to troubleshoot error messages from the NPS extension for Azure MFA

Here are the recommended troubleshooting steps in case you see the following combination of errors in the NPS Security and Microsoft-AzureMfa-AuthZ.

Log Name:     Security
Source:       Microsoft-Windows-Security-Auditing
Date:         1/22/2019 12:32:30 PM
Event ID:     6274
Task Category: Network Policy Server
Level:         Information
Keywords:     Audit Failure
User:         N/A
Computer:     XXX
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.

                    Security ID:                                                        XXX
                    Account Name:                                                XXX
                    Account Domain:                         XXX
                    Fully Qualified Account Name:                 XXX
Client Machine:
                    Security ID:                                                        NULL SID
                    Account Name:                                                –
                    Fully Qualified Account Name:                 –
                    Called Station Identifier:                             –
                    Calling Station Identifier:                            –
                    NAS IPv4 Address:                      –
                    NAS IPv6 Address:                      –
                    NAS Identifier:                                                 –
                    NAS Port-Type:                                                –
                    NAS Port:                                                            –
RADIUS Client:
                    Client Friendly Name:                                   –
                    Client IP Address:                                            –

Authentication Details:
                    Connection Request Policy Name:          Use Windows authentication for all users
                    Network Policy Name:                                  VPN-
                    Authentication Provider:                             Windows
                    Authentication Server:                                 xxx
                    Authentication Type:                                    PAP
                    EAP Type:                                                           –
                    Account Session Identifier:                        –
                    Reason Code:                                                    9
                    Reason:                                                                The request was discarded by a third-party extension DLL file.

Log Name:     AuthZAdminCh
Source:       Microsoft-AzureMfa-AuthZ
Date:         1/22/2019 12:32:30 PM
Event ID:     3
Task Category: None
Level:         Critical
Computer:     XXX
The following information was included with the event:
CID: xxx :Exception in Authentication Ext for User XXX :: ErrorCode:: CID :xxx ESTS_TOKEN_ERROR Msg:: Verify the client certificate is property enrolled in Azure against your tenant and the server can access URL in Registry STS_URL. Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retrieving token details from request handle: -895352831 Enter ERROR_CODE @ for detailed TroubleShooting steps. Enter ERROR_CODE @ for detailed TroubleShooting steps.

In case you have verified that the certificate generated during NPS configuration was correctly associated with Azure MFA Client SPN and there are no network connectivity issues, I would recommend checking if Azure MFA Client and Connector SPN are enabled in your tenant.

You can do this either via Azure AD portal – go to Enterprise Applications – Change the Application Type to All, search for Azure Multi-Factor Auth Connector and Azure Multi-Factor Auth Client and make sure they are enabled.

Or you can use Azure AD PowerShell. Connect to MSOLServicies and issue following commands (first checks Client, second Connector):

Get-MsolServicePrincipal -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" | fl *
Get-MsolServicePrincipal -AppPrincipalId "1f5530b3-261a-47a9-b357-ded261e17918" | fl *

If the AccountEnabled attribute is set to False, you can enable it with this PowerShell command:

Set-MsolServicePrincipal -AppPrincipalId "xx" -AccountEnabled $True

I will also highly recommend to have a look at the following Azure MFA NPS Extension Health Check Script –

One thought on “Troubleshooting NPS extension for Azure Multi-Factor Authentication

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s