Recently I was working with a customer that had been using Microsoft’s Azure MFA server solution for multi-factor authentication, they were looking at decommissioning the server running it and moving to purely cloud based Azure MFA. Since Azure MFA can natively integrate with AD FS 4.0 as well as Network Policy Server (NPS) on Windows Server (using a plugin) it looked like a straight forward task.
I configured their existing AD FS deployment and installed the Windows NPS plugin following the instructions available on docs.microsoft.com and everything seemed to go according to the notes, new certificates for authentication were generated in the local certificate store and expected entries created in Azure AD.
However when it came to testing, authentication would fail, both on ADFS and NPS when attempting to request MFA authorisation from Azure.
On ADFS server had the following error message in Windows Event viewer:
System.Exception: Exception calling SAS. —> System.Net.WebException: The remote server returned an error: (401) Unauthorized.
at Microsoft.IdentityServer.Aad.Sas.HttpClientHelper.PostXml[TRequest,TResponse](String url, TRequest request, Action`1 httpRequestModifier)
at Microsoft.IdentityServer.Adapter.AzureMfa.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
— End of inner exception stack trace —
And on the NPS, it had the following error message:
NPS Extension for Azure MFA: CID: 6da75e38-6bbf-4616-84df-fa65b4c7905c :Exception in Authentication Ext for User Domain\username :: ErrorCode:: CID :6da75e38-6bbf-4616-84df-fa65b4c7905c ESTS_TOKEN_ERROR Msg:: Verify the client certificate is properly enrolled in Azure against your tenant and the server can access URL in Registry STS_URL. Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retreiving token details from request handle: -895352831 AADSTS7000112: Application ‘981f26a1-7f43-403b-a875-f8b09b8cd720′(Azure Multi-Factor Auth Client) is disabled.
After some checks and a little internet search I found a script https://gallery.technet.microsoft.com/Azure-MFA-NPS-Extension-648de6bb kindly made by someone that performed a series of checks against the local machine and the tenant. The script suggested there was a problem within Azure Active Directory > Enterprise applications, and in there I found two MFA related ones, with one matching the text in the event message:
Azure Multi-factor Auth Client
Azure Multi-factor Auth Connector
Both of these applications had within their properties “enabled for users to sign-in” set to no, changing this to Yes then allowed both ADFS and NPS to use Azure MFA with the licensed users.
Hope this helps.