Admins that have installed the NPS Azure Extensions, and configured the Microsoft Authentication Application to perform MFA when logging on to the RDS environment, may be encountering an error.

If you now install a new server, or update the original NPS server that was performing the call to Azure for MFA, this function no longer works, and the only way users can log on with MFA is by changing to a telephone call instead.

This is because Microsoft changed the way that the Authenticator Application works and now requires an OTP to be entered. With an RDS log on there is no OTP to enter, and the RDS Gateway immediately rejects the logon.

The user will see:

On the RDS server event logs under Custom Views->ServerRoles->Remote Desktop Server1, there will be event ID 201 logged with the following information:

The user “<DOMAIN>\<USERNAME>”, on client computer “X.X.X.X”, did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The authentication method used was: “NTLM” and connection protocol used: “HTTP”. The following error occurred: “23003”.

The RD Gateway Server does not forward the RADIUS request to the MFA NPS, so you will not see any events logged on that server.

The resolution is to disable the need for OTP on the MFA NPS server, where you installed the NPS Azure Extensions:

1. Open Regedit
2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa
3. Create new String/Value OVERRIDE_NUMBER_MATCHING_WITH_OTP
4. Value of FALSE
5. Restart NPS service