MFA broken when using the latest NPS Azure Extensions on the NPS

Asset 35

Azure MFA for RDS no longer works for Microsoft Authenticator Application after installing latest NPS Azure Extensions

Posted on 30 August 2023 by Beaming Support

Admins that have installed the NPS Azure Extensions, and configured the Microsoft Authentication Application to perform MFA when logging on to the RDS environment, may be encountering an error.

If you now install a new server, or update the original NPS server that was performing the call to Azure for MFA, this function no longer works, and the only way users can log on with MFA is by changing to a telephone call instead.

This is because Microsoft changed the way that the Authenticator Application works and now requires an OTP to be entered. With an RDS log on there is no OTP to enter, and the RDS Gateway immediately rejects the logon.

The user will see:

On the RDS server event logs under Custom Views->ServerRoles->Remote Desktop Server1, there will be event ID 201 logged with the following information:

The user “<DOMAIN>\<USERNAME>”, on client computer “X.X.X.X”, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: “NTLM” and connection protocol used: “HTTP”. The following error occurred: “23003”.

The RD Gateway Server does not forward the RADIUS request to the MFA NPS, so you will not see any events logged on that server.

The resolution is to disable the need for OTP on the MFA NPS server, where you installed the NPS Azure Extensions:

  1. Open Regedit
  2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa
  4. Value of FALSE
  5. Restart NPS service


About Beaming

We’re Beaming, a specialist internet service provider (ISP) for businesses. We’ve been helping organisations across the UK with fast, reliable, and secure voice and data connectivity, as well as managed services, since 2004.

From the resilient and secure network we’ve built, to the choice of tailormade products all supplied with expert service, we provide peace of mind that businesses require.

We know that your business is unique, so we take the time to get to know you and your specific needs. If you’re looking for a reliable ISP for your business, we’d love to chat.