Trying to diagnose an issue of a reason why an NPS server would not let a user in and come back with Access-Reject produces the following Reason in the event log
An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.
I recommend
You’ll find the logs you need on your NPS server under
- Custom Views -> Server Roles -> Network Policy and Access Services
This is for the radius request/responses with accept/rejects.
If you see a reason “The request was discarded by a third-party extension DLL file.” You need to dig into the extension logs.
Number matching
MS has decided to enforce number matching in the newer versions of its NPS extension , so if you download the latest or upgrade an existing one to new version any authentication without number matching will fail
you’ll need to add a REG key to override it
Location:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa
Create String record:
OVERRIDE_NUMBER_MATCHING_WITH_OTP Value: False
NPS start working after a reboot
Disable NPS MFA Extension
- Stop the Network Policy Server Service
- Create a backup of the key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters’
- Remove the values inside this key (DO NOT Remove the Parameters key itself)
- Start the Network Policy Server Service
To Re-Enable the NPS MFA Extension
- Stop the Network Policy Server Service
- Import the backup of the key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters’
- Start the Network Policy Server Service
You can always uninstall NPS Extension for Azure MFA Plugin
Retrying the access which should give you some better reason in the event log e.g. The RADIUS request did not match any configured connection request policy (CRP).
Once this is fixed you can reinstall the Plugin and re-authenticate it
- Application and Services Logs -> Microsoft -> AzureMfa -> AuthZ and AuthN
This contains all the 2fa details and will show you everything from challenges being sent to mfa timeouts.
Loading...