Configuring Multifactor Authentication (MFA) is an excellent way to ensure the highest level of assurance for Always On VPN users. Azure MFA is widely deployed and commonly integrated with Windows Server Network Policy Server (NPS) using the NPS Extension for Azure MFA. Azure MFA has a unique advantage over many other MFA providers in that it supports MFA when using Protected Extensible Authentication Protocol (PEAP). This makes Azure MFA the solution of choice for integrating with Windows 10 Always On VPN deployments using client certificate authentication, a recommended security configuration best practice.
NPS Configuration
Installing and configuring the NPS extension for Azure MFA is straightforward. Configuration guidance from Microsoft can be found here.
Connection Issues
After installing the NPS extension for Azure MFA, administrators may find that Always On VPN connections fail and the user is never challenged for authentication. The connection eventually times out and returns the following error message.
“A connection to the remote computer could not be established, so the port used for this connection was closed.”
In addition, the Application event log on the Windows 10 client contains an Event ID 20221 from the RasClient source that includes the following error message.
“The user [username] dialed a connection named [connection] which has failed. The error code returned on failure is 0.”
NPS Event Log
Reviewing the event logs on the NPS server reveals more information. The Security event log contains an Event ID 6274 from the Microsoft Windows security auditing source that includes the following error message.
“Network Policy Server discarded the request for a user. Contact the Network Policy Administrator for more information.”
ESTS Token Error
Digging deeper in the operational event log on the NPS server, the AuthZAdminCh log (Applications and Services Logs > Microsoft > AzureMfa > AuthZ) contains an Event ID 3 from the AuthZ source indicating an ESTS_TOKEN_ERROR message.
Troubleshooting ESTS Token Error
Follow the steps below to troubleshoot the ESTS_TOKEN_ERROR.
Prerequisites
Ensure that all prerequisites are met. Validate the user is being synced to Azure Active Directory and that it is properly licensed for Azure MFA.
Certificates
As part of the NPS extension configuration, a certificate is created on the NPS server that is uploaded to Azure Active Directory. To validate the certificate was created and uploaded correctly, follow the troubleshooting guidance found here.
Enterprise Applications
The Azure Multi-Factor Auth Client and the Azure Multi-Factor Auth Connector enterprise applications must be enabled to support the NPS extension for Azure MFA. To confirm they are enabled, open an elevated PowerShell command window on the server where the Azure AD Connector is installed and run the following PowerShell commands.
Import-Module MSOnline
Connect-MsolService
Get-MsolServicePrincipal -AppPrincipalId “981f26a1-7f43-403b-a875-f8b09b8cd720” | Select-Object DisplayName, AccountEnabled
Get-MsolServicePrincipal -AppPrincipalId “1f5530b3-261a-47a9-b357-ded261e17918” | Select-Object DisplayName, AccountEnabled
If either or both enterprise applications are not enabled, enable them using the following PowerShell commands.
Set-MsolServicePrincipal -AppPrincipalId “981f26a1-7f43-403b-a875-f8b09b8cd720” -AccountEnabled $True
Set-MsolServicePrincipal -AppPrincipalId “1f5530b3-261a-47a9-b357-ded261e17918” -AccountEnabled $True
Once complete, restart the IAS service on the NPS server using the following PowerShell command.
Restart-Service IAS -PassThru
Additional Information
Windows 10 Always On VPN Network Policy Server (NPS) Load Balancing Strategies
Deploy Windows 10 Always On VPN with Microsoft Intune
Windows 10 Always On VPN Hands-On Training Classes Now Available
I’m pleased to announce I will be delivering Windows 10 Always On VPN hands-on training classes in various locations around the U.S. this year. As Microsoft continues to move away from DirectAccess in favor of Windows 10 Always On VPN, many organizations now must come up to speed on this new technology. Spoiler alert…it’s not trivial to implement! There’s lots of moving parts, critical infrastructure dependencies, and many configuration options to choose from. Additionally, Windows 10 Always On VPN is managed in a completely different way than DirectAccess, which is sure to present its own unique challenges.
DirectAccess can be configured to enforce strong user authentication using smart cards or one-time passwords (OTP). This provides the highest level of assurance for remote users connecting to the internal network via DirectAccess. OTP solutions are commonly used because they require less administration and are more cost effective than typical smart card implementations. Most OTP solutions will integrate with DirectAccess as long as they support Remote Access Dial-In User Service (RADIUS).
