Excelente! Mil y mil gracias por la explicación tan clara y facil de enteder!

Wow, really good video. Thanks!

Brilliant explanation and not just click here and there. Thank you.

Really good, thank you for yor time !!!

@nate.harris

2 жыл бұрын

My pleasure!

Hi Nate, Do you have a step by step video/doc how to configure MFA with AAD credentials?

Nate Harris for President, Nate Harris is GOD! Thanks for this and the other 2 nps / azure mfa videos!

@nate.harris

3 жыл бұрын

President, OK I'll take the job, but GOD? Too much responsibility! But I'm glad they helped.

Thank you very much :)

Hello Nate, in your example did you use two different servers (One Remote Desktop Gateway Server and One NPS Server), or are all the RDG + NPS + MFA Extension Roles on a single Server?

@nate.harris

Жыл бұрын

Two servers, you don't want to install the MFA Extension onto the RDS server as it will cause issues with RADIUS traffic.

@yibambe148

Жыл бұрын

@@nate.harris Thanks Nate, I'm going to review the settings, I used the microsoft doc and created two servers, an RDG Server and an NPS Server. But for some reason I am not getting the second authentication factor notification. I used the troubleshooting powershel script but didn't find any errors. Do you have any other docs explaining installing RDG and NPS?

@nate.harris

Жыл бұрын

@@yibambe148 Check out my NPS Basics Troubleshooting video on how to take the MFA Extension out of the equation and confirm RADIUS routing. Before you do that though, go into the Event Log, under Microsoft services, Azure MFA and look in those logs for entries to see if you see failures there.

@yibambe148

Жыл бұрын

@@nate.harris Ok I will do this

Hi Nate, Do you have a good document for do the full set up? Is it possible to use the local NPS (in the RDS) or do I need to set up a Central NPS in a different server?

@Navin.R.Johnson

Жыл бұрын

You have to use another NPS server with the MFA extension to get this working.

@jonathanmendivel5241

2 ай бұрын

@@Navin.R.Johnson

Excellent explanation! I'm wondering if it's possible to use the MFA extension with NPS in an AD domain that we have NOT federated or synced with our AAD domain? (We prefer to manage Exchange Online in the cloud and so have not connected the two.) However, we'd like to use MFA with RDS...

@nate.harris

2 жыл бұрын

The important thing to remember here is that the NPS service is only AD aware in as much as it needs to know where to send a request. That is to say that when a request comes to it then it will ask the OS for a DC (DCLocator). This means that you can manage where the auth requests are sent once they arrive at the NPS server through some manipulation if needed. So if the request comes in as CloudDomain\Username, with some RegEx you can modify that username to become YourADDomain\Username and then the NPS server will ask the DCLocator for a DC for YourADDomain\. This would be done in the Connection Request Policy under Settings, "Specify a Realm Name". Create a new Attribute Manipulation Rule and you can use some simple RegEx to look for the \ and then modify the username. So if you enter (.*)\\(.*) in the Find field and then YourADDomain\$2 in the Replace with field, it will look for the backslash \ in all incoming requests and when it finds it, it will replace the first variable ($1) which is the Domain name with YourADDomain and append \ and the second variable ($2) which is the Username. Let me know if this helps. There is also a very good article on RegEx that can help: docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-crp-reg-expressions. Also if this is something many people want, let me know and I'll make a video showing it in action on an NPS server.

@stevedavies3872

2 жыл бұрын

@@nate.harris Wow, thank you for your time and this explanation! I'm sure I can manage the RegEx replacement. I will want to set up a test case that won't affect my current users, so I imagine I'll need to get the MFA extension added, create a test user that is enabled for MFA and set a condition on that user account. Am I on the right path here?

@nate.harris

2 жыл бұрын

@@stevedavies3872 One thing to note, when you install the MFA Extension onto an NPS server, it's an all-or-nothing thing. Meaning every request that comes to the NPS server will have MFA attempted on it. There is no workaround for that on a given NPS server. You would need another NPS server to work around it. Another thing that you need to consider is what will be used to match the accounts. Normally the UPN is used, meaning the NPS server performs Primary auth to the domain, then it, by default, asks for the UPN of that account and sends that to Azure asking Azure to perform MFA for that UPN. If that UPN does not match then this will fail. You can use email as a matching attribute, and the docs say you can use others, but the truth is only UPN and Email will work.

@stevedavies3872

2 жыл бұрын

@@nate.harris Thanks again! That sounds problematic; like there's really no way to test this. I was planning on using the mail attribute instead of UPN and I was thinking that the CAP limiting MFA to members of a group would exclude my existing users. But if not, I better backtrack and uninstall the MFA extension, which I haven't configured yet...

@nate.harris

2 жыл бұрын

@@stevedavies3872 You don't need that specific NPS server, in fact I recommend a test NPS server be used anytime you are going to be testing policies. Just install the NPS service on another server and test against it. My initial NPS Basics video shows how to use the ntRadPing tool to initiate a RADIUS request to any RADIUS server you want. Use that as the tool to create the RADIUS requests and then you can test all you want in a sandbox. Once the rules work the way you want then recreate them on your production machine, however this doesn't resolve the MFA for all requests issue. One thing you might do is add an NPS server to your production to proxy requests, or, add a CRP to the existing NPS server to proxy requests to another NPS server and have MFA on that other server. There are lots of ways to skin this cat.

Question. We have Office 365 E3 + Entra ID P1, do we need any other license?

Simple on screen approvals can be griefed. Unfortunately target rds users will get brute forced with approval notices on their devices. Is there a way for NPS to force OTP passcodes instead of the onscreen approval?

@nate.harris

2 жыл бұрын

The problem is two fold, first the RDS client has no way to handle the request for the OTP. Second, even if it did the RDS Gateway will ignore the "Access Challenge" that the NPS server will send back requesting the OTP.

All your videos are awesome! Do you know why most KBs say to have two connection request polices (to/from MFA and to/from RDG) in NPS on both servers? It works without them like how you have it configured, but I can't find any good answer on why those additional CRPs are "recommended".

@nate.harris

2 жыл бұрын

Thanks! I believe those docs were actually written with the Azure MFA server (formerly Phonefactor) in mind. The Azure MFA server (Phonefactor) supports RADIUS requests, but it cannot perform any authentication, it's really just a RADIUS proxy. But if you send the request to it, it then sends the primary authentication request to another RADIUS server (NPS server) and if that then comes back as an Access Accept, it will then perform MFA for the user. All the docs I found were written prior to the creation of the NPS MFA Extension.

@scottybrown5184

2 жыл бұрын

@@nate.harris Gotcha, thanks for the explanation!

Hi Nate, in the latest update of the MFA Extension Microsoft states that TOTP is supported by the extension but i really was not able to get this running. Do you have any advice to this?

@Navin.R.Johnson

Жыл бұрын

I believe it's an update to the RDP client as the limition wasn't with NPS and the MFA extension

Good evening Nate , do we need to disable the Network policy RD_Cap on the RD gateway server and just have it on the NPS server

@nate.harris

5 ай бұрын

That is the policy that the RD Gateway uses to manage the local NPS instance. All that is needed on the RDS NPS instance is the Connection Request Policy that forwards requests to the backend NPS server with the MFA extension. So you can leave it.

@WickedJ80

5 ай бұрын

@@nate.harris Hello Again Nate , I have been through your videos and they are excellent. Would you be able to shed some lights on my install as Microsoft have been of no help as yet ? i have followed all your steps but we don't get prompted for any MFA it just immediately fails should there be be a connection request policy setup on the NPS server or just on the RDS NPS server ? we have setup a conditional access policy , does the user we are testing with need to have full office 365 Licenses or can i assign a P1 licenses for testing. Thank you have for all the work in these Videos

@nate.harris

5 ай бұрын

@@WickedJ80 You'll need at least 1 P2 license, I believe. As for it failing immediately, that leads me to believe that primary authentication is failing. What I would do is remove the DLL paths from the registry, restart NPS and that should get the MFA extension out of the mix, then try again. If it still fails then most likely a rule is wrong or the shared secret is wrong causing primary auth to fail. See my NPS basics troubleshooting video as it has the keys to backup and then delete, I can't remember them off the top of my head. If all that fails send me an email and I will work with you on the side. But remember, I haven't actively supported NPS/MFA in 3 yrs, and RDS was a PITA back then, so lower your expectations!

is it possible that the attempts do not get applied via conditional access. when i enforce conditional access and add an exclude adress, and perform nps auth on a gateway, it doesnt get applied

@harrisfamily3835

7 күн бұрын

This form of authentication does not use conditional access policies, as it is not Modern Auth.

Hi. My NPS server configured for vpn connection. If I install NPS extension for configuring MFA for RD gateways, does it mean my VPN configuration will stop working? Because, now I do not use MFA for von, only for RD gateways. Thank you!

@nate.harris

2 жыл бұрын

When you install the MFA extension onto an NPS server then ALL requests to that NPS server will attempt to perform MFA once primary authentication has been completed. So if you have some traffic that needs MFA and other traffic that doesn't you will want to add the NPS role to another server in your environment and send those requests to the other server. Hope this helps, let me know if you have any other questions.

@MrIvsemenyuk

2 жыл бұрын

@@nate.harris in case if NPS on atnoter server, should I register NPS in AD? Will I get conflict with currently NPS?

@nate.harris

2 жыл бұрын

@@MrIvsemenyuk Yes, go ahead and register the NPS server in AD. All that really does is add the server to the RAS and IAS Servers group in AD giving it some rights to do lookups. So you won't have any conflicts registering the new server.

@MrIvsemenyuk

2 жыл бұрын

​@@nate.harris thanks for answer. So, everything configured. When I try to connect to RD gateway, I enter login\ pwd, confirm sign-in in my Microsoft Authenticator and nothing happens. Minute later, Microsoft Authenticator requires approve again and it goes around.

@nate.harris

2 жыл бұрын

@@MrIvsemenyuk My first guess is that the timer setting on the RDS servers NPS instance for the remote radius server group is too short. Open NPS on the RDS server, open the properties of the remove RADIUS server group, open the entry for the NPS/MFA server and confirm the timeout settings on the Load Balancing tab is 60, 5 and 60.

Once NPS and the RDG is all setup, how do you turn it off or disable the feature to RDP without 2FA?

@nate.harris

25 күн бұрын

Watch my video on NPS troubleshooting and focus on the section about how to remove MFA from the troubleshooting equation. It involves backing up and deleting a couple reg keys and restarting NPS to get it to start without loading the MFA DLLs.

Been at this for days...can't get it to work.

Dude I felt that sigh in my bones :D fucking MS

you said that it's good practise to seperate nps and gateway but in this video, they are on the same serveR??

@nate.harris

6 ай бұрын

The RD Gateway has it's own NPS service installed on it, but it's really only acting as a RADIUS proxy. If you tried to install the MFA Extension on the RD Gateway it would mess up that RADIUS traffic being proxied to the backend NPS with the MFA extension

@GurkoKurdo

6 ай бұрын

merci @@nate.harris

Nice video! In fact I have a good question, just sent you an email.