I’m sure you are familiar with following official documentation how to use your existing NPS infrastructure with Azure Multi-Factor Authentication.
And the following one is proving detailed steps to troubleshoot error messages from the NPS extension for Azure MFA
Here are the recommended troubleshooting steps in case you see the following combination of errors in the NPS Security and Microsoft-AzureMfa-AuthZ.
Log Name: Security
Date: 1/22/2019 12:32:30 PM
Event ID: 6274
Task Category: Network Policy Server
Keywords: Audit Failure
Network Policy Server discarded the request for a user.
Contact the Network Policy Server administrator for more information.
Security ID: XXX
Account Name: XXX
Account Domain: XXX
Fully Qualified Account Name: XXX
Security ID: NULL SID
Account Name: –
Fully Qualified Account Name: –
Called Station Identifier: –
Calling Station Identifier: –
NAS IPv4 Address: –
NAS IPv6 Address: –
NAS Identifier: –
NAS Port-Type: –
NAS Port: –
Client Friendly Name: –
Client IP Address: –
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: VPN-
Authentication Provider: Windows
Authentication Server: xxx
Authentication Type: PAP
EAP Type: –
Account Session Identifier: –
Reason Code: 9
Reason: The request was discarded by a third-party extension DLL file.
Log Name: AuthZAdminCh
Date: 1/22/2019 12:32:30 PM
Event ID: 3
Task Category: None
User: NETWORK SERVICE
The following information was included with the event:
CID: xxx :Exception in Authentication Ext for User XXX :: ErrorCode:: CID :xxx ESTS_TOKEN_ERROR Msg:: Verify the client certificate is property enrolled in Azure against your tenant and the server can access URL in Registry STS_URL. Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retrieving token details from request handle: -895352831 Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed TroubleShooting steps. Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed TroubleShooting steps.
In case you have verified that the certificate generated during NPS configuration was correctly associated with Azure MFA Client SPN and there are no network connectivity issues, I would recommend checking if Azure MFA Client and Connector SPN are enabled in your tenant.
You can do this either via Azure AD portal – go to Enterprise Applications – Change the Application Type to All, search for Azure Multi-Factor Auth Connector and Azure Multi-Factor Auth Client and make sure they are enabled.
Or you can use Azure AD PowerShell. Connect to MSOLServicies and issue following commands (first checks Client, second Connector):
Get-MsolServicePrincipal -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" | fl *
Get-MsolServicePrincipal -AppPrincipalId "1f5530b3-261a-47a9-b357-ded261e17918" | fl *
If the AccountEnabled attribute is set to False, you can enable it with this PowerShell command:
Set-MsolServicePrincipal -AppPrincipalId "xx" -AccountEnabled $True
I will also highly recommend to have a look at the following Azure MFA NPS Extension Health Check Script – http://azuredummies.com/2018/09/11/azure-mfa-nps-extension-health-check-script-v1/