Always On VPN and Azure MFA ESTS Token Error

Always On VPN and Azure MFA ESTS Token ErrorConfiguring Multifactor Authentication (MFA) is an excellent way to ensure the highest level of assurance for Always On VPN users. Azure MFA is widely deployed and commonly integrated with Windows Server Network Policy Server (NPS) using the NPS Extension for Azure MFA. Azure MFA has a unique advantage over many other MFA providers in that it supports MFA when using Protected Extensible Authentication Protocol (PEAP). This makes Azure MFA the solution of choice for integrating with Windows 10 Always On VPN deployments using client certificate authentication, a recommended security configuration best practice.

NPS Configuration

Installing and configuring the NPS extension for Azure MFA is straightforward. Configuration guidance from Microsoft can be found here.

Connection Issues

After installing the NPS extension for Azure MFA, administrators may find that Always On VPN connections fail and the user is never challenged for authentication. The connection eventually times out and returns the following error message.

“A connection to the remote computer could not be established, so the port used for this connection was closed.”

Always On VPN and Azure MFA ESTS Token Error

In addition, the Application event log on the Windows 10 client contains an Event ID 20221 from the RasClient source that includes the following error message.

“The user [username] dialed a connection named [connection] which has failed. The error code returned on failure is 0.”

Always On VPN and Azure MFA ESTS Token Error

NPS Event Log

Reviewing the event logs on the NPS server reveals more information. The Security event log contains an Event ID 6274 from the Microsoft Windows security auditing source that includes the following error message.

“Network Policy Server discarded the request for a user. Contact the Network Policy Administrator for more information.”

Always On VPN and Azure MFA ESTS Token Error

ESTS Token Error

Digging deeper in the operational event log on the NPS server, the AuthZAdminCh log (Applications and Services Logs > Microsoft > AzureMfa > AuthZ) contains an Event ID 3 from the AuthZ source indicating an ESTS_TOKEN_ERROR message.

Always On VPN and Azure MFA ESTS Token Error

Troubleshooting ESTS Token Error

Follow the steps below to troubleshoot the ESTS_TOKEN_ERROR.


Ensure that all prerequisites are met. Validate the user is being synced to Azure Active Directory and that it is properly licensed for Azure MFA.


As part of the NPS extension configuration, a certificate is created on the NPS server that is uploaded to Azure Active Directory. To validate the certificate was created and uploaded correctly, follow the troubleshooting guidance found here.

Enterprise Applications

The Azure Multi-Factor Auth Client and the Azure Multi-Factor Auth Connector enterprise applications must be enabled to support the NPS extension for Azure MFA. To confirm they are enabled, open an elevated PowerShell command window on the server where the Azure AD Connector is installed and run the following PowerShell commands.

Import-Module MSOnline

Get-MsolServicePrincipal -AppPrincipalId “981f26a1-7f43-403b-a875-f8b09b8cd720” | Select-Object DisplayName, AccountEnabled

Get-MsolServicePrincipal -AppPrincipalId “1f5530b3-261a-47a9-b357-ded261e17918” | Select-Object DisplayName, AccountEnabled

Always On VPN and Azure MFA ESTS Token Error

If either or both enterprise applications are not enabled, enable them using the following PowerShell commands.

Set-MsolServicePrincipal -AppPrincipalId “981f26a1-7f43-403b-a875-f8b09b8cd720” -AccountEnabled $True

Set-MsolServicePrincipal -AppPrincipalId “1f5530b3-261a-47a9-b357-ded261e17918” -AccountEnabled $True

Once complete, restart the IAS service on the NPS server using the following PowerShell command.

Restart-Service IAS -PassThru

Additional Information

Windows 10 Always On VPN Network Policy Server (NPS) Load Balancing Strategies

Deploy Windows 10 Always On VPN with Microsoft Intune

Windows 10 Always On VPN Hands-On Training Classes Now Available

Leave a comment


  1. It took me a long time get my head around MFA as the documentation is a little sparse. Rather than go down the route of using the MFA extension for NPS which is a on/off scenario (depending on MFA enrolment by the user), I ended up using Conditional Access with MFA for more flexibility, which allowed me to specify more granular requirements when asking for MFA authentication. However, doing this means I had to use the AAD certificate CA and issue sort-lived certificates from Azure AD and not the Internal CA issued certificates. Apart from that – and when when working, I have to say that the MFA functionality works very well.

    • Using Azure conditional access is an excellent alternative to just using the NPS extension. The NPS extension for Azure MFA is certainly easy to configure and it works well, but you’re right, using AAD and conditional access does provide more granularity for sure. 🙂

  2. Nate

     /  July 9, 2019

    I spent a day troubleshooting this stupid thing. Opened a ticket with MS support and they sent links to the documentation which I had already read multiple times thinking I’d missed something. Turns out both enterprise apps were disabled and this article was what actually helped. Thanks, Richard!
    While I’m writing, any thoughts on cert management for this? I’d like to use our internal CA so we can at least monitor the expiration date, but I’m not finding any guidance on configuring the template. Even then it still has to be uploaded to Azure. Just trying to come up with a way to make this manageable, otherwise it’ll be a reminder two years from now on a team calendar. :/


    • Glad the post was helpful! 🙂 The Microsoft guidance here only states the syntax of the subject name. It doesn’t indicate what EKUs are required unfortunately. However, if you look at the configuration of the existing self-signed certificate that will give you an idea of what’s required.

  3. Simon Brunner

     /  July 10, 2019

    Hi Richard
    we have an on Prem Installation of Always on VPN with User Tunnel in place. We decided to implement Azure MFA with NPS Extension. With one user the Setup is working great. With another user the Always on tunnel is working once and never again (until reboot). A third user was never able to establish a Connection (no mfa popup arrived). Any Idea?

    • Unusual for sure. If it is working for one user it should work for all users. I would suspect perhaps an issue with their Azure AD account perhaps? Are the users in question licensed for Azure MFA?

      • Mike M

         /  August 1, 2019

        Hello, I am experiencing the same issue with our setup. Always on VPN was working perfectly until we implemented the MFA extension. Once MFA was turned on users would get the approval on their phone. Sometimes it would finish the connection but it fails enough to where we cant go to production with it. When it fails we generally don’t see the approval pop up on the phone to accept. Any ideas to where to look?

      • Not sure about this one. I would suggest making sure your RADIUS timeout is set to at least 60 seconds, but if users aren’t receiving the notification from Azure, you’ll have to start investigating there.

  4. Lee Humphreys

     /  January 29, 2020

    Hi Richard,

    My Always On VPN POC is now up and running, and after some initial hurdles seams relatively stable (deployed both Device Tunnel and User Tunnel with PEAP & User Certs).

    The next step for the POC is to secure the User Tunnel with MFA. I’m aware that we can do this via Azure MFA with the NPS Extension, or using Conditional Access. My preference would be the CA route as it provides more flexibility, however I can’t find anything in the Microsoft documentation that explains how the enforcement is actually done. It appears from the documentation that this is only a Client side config – meaning that in theory you could create a VPN Profile that does not include the CA piece and it would happily connect – therefore bypassing CA?

    The Azure MFA NPS Extension is more clear – every request to the NPS Server after it is enabled must pass MFA or it will fail to connect (which I like and is where we want to get to).

    With the CA option, is there something that can be enforced Server side to ensure that all Clients must satisfy CA?

    I hope that makes sense.


    • I’m not certain that’s the case. If you have a CA policy configured for a user and this specific app (VPN) then I think they will be MFA’d according to your policy. I don’t believe that can be bypassed with a different client configuration. I could be wrong of course, but that’s my understanding today at least. 🙂

      You’re right, using the Azure MFA NPS extension is a more positive way to enforce MFA, and it will require it for anyone who connects and for every login. However, this can be tiresome for end users so you have to consider the experience when you choose between the extension and Conditional Access.

      • Lee Humphreys

         /  January 30, 2020

        I guess that’s something to test in my POC then – setup with CA, and then create a Profile without the entry for true, and see if it lets me connect without CA 🙂

      • You certainly have to include configuration details in ProfileXML to support authentication, so you might find that you get prompted for MFA, but if your profile isn’t configured to use a different certificate for authenticating to internal resources you might be able to connect, but won’t have access to internal resources.

  5. Lee Humphreys

     /  January 30, 2020

    Not sure that formatted correctly 🙂 “true”

  6. Matt Klein

     /  March 18, 2020

    We have Always On VPN working with Azure MFA – however because of EAP protocol it looks like it only works with MS Authenticator or Phone call (not PIN code responses –

    Am I missing something or does this not work with SMS code MFA from Azure MFA ??

    • That’s correct. If you are using EAP authentication (recommended) then your only options for Azure MFA are push notification via the Authenticator app or phone call. No support for SMS in this scenario.

  7. Rizmi

     /  June 24, 2020

    Hi Richard, I used to go through all your step by step, concepts and troubleshooting on NPS extension deployment and integrating Azure MFA for Always ON VPN. I am struck in a place where I have specified PAP authentication method (assuming PAP will support phone call, one-way text message, mobile app notification, and mobile app verification code). But, in Windows 10 I do not find a prompt in UX to input Text and Verification Code. Please advise whether I am on right page and if so, help me on this regard.

  8. Arthur

     /  October 5, 2020

    hello Richard,
    is it possible to integrate Always on VPN with Azure MFA Server (onPrem) (not Azure MFA – cloud one)? Azure MFA Server (onPrem) can do the job of NPS Servers as RADIUS Server?

    • I believe so, but I’m not certain. It’s not something I’ve tested or implemented myself. Be advised that Microsoft no longer recommends using the on-premises MFA server. Using the NPS plug-in is really simple and works quite well.

  1. Integrating Azure MFA with All the time On VPN for higher safety

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading