DirectAccess with Windows Azure Multi-Factor Authentication Server

Hi,
We're having some troubles implementing OTP-functionality for our DirectAccess-solution. We have DA-server with dual nics (one internal and one external) behind a firewall. We are successfully running it with Windows 7 computers using certificates issued
by our own CA. Everything works fine (e.g. 6to4, Teredo and IP-HTTPS) and computers connect instantaneously.
Then we decided to try to implement OTP-functionality using Azure MFA. We have downloaded the on-premises installation and configured a server with a couple of trial users synced from our Active Directory. It works flawlessly when using the portal and the
built-in tests on the MFA. We receive the text messages promptly and are granted access.
However when we tried to connect it to our DA-server things got weird.
First of all our DA-server refuses to recognize our Issuing CA even though it is domain joined and published in our Active Directory. It worked the first time we went through the wizard, but even since it just keeps saying that "no CA servers can be
detected". We ended up doing it the
powershell way and the Operations status shows no error. When we added the Issuing CA and the Radius Server (our MFA-server) as Infrastructure Servers we got an error message saying that "One or more IP addresses of management server cannot be
added because they are associated with the web probe URL" (which they don't).
We went ahead and started testing the OTP-functionality - assuming this was some strange bug as well. Following the
closest thing to a requirement specification
we could find from MS regarding the certificates required. Both with a Windows 8.1 Ent-client and a couple of Windows 7 Ent-clients but neither are getting any password prompts. We can see with wireshark and in the logs that the DAProbeUser can communicate
between the DA and the MFA. If we try to access the DaOTP-IIS-site we get a certificate error. The IIS-certificate is issued from the same trusted Root CA as the client certificate and all certificates are valid. The CRL:s are accessible both externally and
internally.
We are looking through the local computers OtpCredentialProvider logs but for the Windows 8.1-ones they are only saying Error 10001 (unable to send authentication information to daservername.domain.com error 12175). And for the Windows 7 clients we are getting
Error 10003 (Either private key cannot be generated or user cannot access certificate template on the DC. Which we verified that we can using the infrastructure tunnel only). No other IPv4 traffic seems to be communicated between the two servers according
to Wireshark.
We have also tried using our SafeNet on-prem RADIUS-solution but no traffic seem to get sent to that server neither.
So TL;DR:
- Can anyone provide the precise certificate requirements for setting up DA OTP?
- Are there any good tools for troubleshooting DA OTP-functionality? 

Hello Benoit,
Thank you for your reply. If we understood your blog post correctly then we are supposed to be able to access
https://daserver.domain.com/DAOTPvirtualdirectory/DAOTPAuth.dll and not get a 403.7
error-page, even if the back-end Radius isn’t fully functional yet?
The DA server has the OTP signing certificate (confirmed this on the issuing CA and the server’s computer certificate store), it renews this certificate once per day (as per the
guide for the templates on: http://technet.microsoft.com/en-us/library/hh831715.aspx)
We’re not seeing any errors on the AD CS server, no requests, no rejections (for the client certificates), but this could be due to the settings followed for the client template
on the TechNet guide (Do not store certificates and requests in the CA database)?
What do you mean with "IF OTP
signing certificate is not present on client-side, OTP authentication cannot work"? The signing certificate should be on the server side, or are we mistaken?
Also, according to
http://msdn.microsoft.com/en-us/library/hh536654.aspx
it is stated:
“2.The administrator establishes one or more implementation-specific<1>CA servers”
But other guides specifically mention that you can use your current CA environment and that you’re not required to install a dedicated CA for this particular task. 

Similar Messages

  • Can you use Multi Factor Authentication server with Central NPS and RD Gateway?

    Hi,
    Does anyone have any experience getting the Azure Multi-Factor Authentication (MFA) on-premise server, working with a Remote Desktop Gateway server, and a centralised NPS server?  I can get a solution whereby a user can get the second token (phone call/sms
    etc.) but the connection never gets established.  It looks like its looping as it repeats the phone call/text for a second time but again no connection.  I can’t figure out why.
    All the blogs are very vague as to whether you can combine a new MFA NPS connection policy with an existing username/group membership NPS policy on a centralised NPS server (with RAP/CAP policies).
    I need to understand whether we can combine both an MFA Radius policy with a Username/Password plus group membership NPS policy together to achieve two factor authentication.
    Do you have the Remote Desktop Gateway Server connect to the Central NPS server and then the NPS server use the MFA server as its proxy server? In effect turning the NPS server into a proxy Radius server?  
    Or do you configure the Remote Desktop Gateway server to use the MFA server as the proxy Radius server, and configure the MFA server to send on Radius requests to the central NPS server?
    Or either of these scenarios not supported and you can only use the MFA server as the only Radius server in the auth. process? (bypassing NPS policies?)
    Thanks if someone can assist,
    I’ve been using these blogs but to no successful effect:
    http://technet.microsoft.com/en-us/library/dn394287.aspx
    http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/
    http://dave.harris.uno/installing-and-configuring-azure-multi-factor-authentication-mfa/

    Hi Michael,
    Thank you for posting in Windows Server Forum.
    After going through your description, I can say that we can use MFA server with central NPS and RD Gateway. Also the link which you have provided points the step to apply. In addition you can refer below article.
    Configure Remote Desktop Gateway to use Multi-Factor AuthenticationConfigure Remote Desktop Gateway to use Multi-Factor Authentication 
    Hope it helps!
    Thanks.
    Dharmesh Solanki
    TechNet Community Support

  • Multi-Factor Authentication Server and OWA

    Hello,
    I am trying to implement a two factor authentication solutions for our OWA service using Multi-Factor Authentication server.
    What is the best way to accomplish that, Assuming I would like that the only service will be affected by the MultiFactor authentication server is the OWA?
    (without affecting the whole IIS service such as ActiveSync etc.?)

    At present, the MFA Server user enrollment is completely separate from Azure AD. If you want to use the mobile app with the MFA Server, you need to install the User Portal so that users can generate activation codes and set their MFA method to mobile app.
    Also, for users to activate their mobile apps, you have to install the Mobile App Web Service, which communicates with the MFA Server via the Web Service SDK to validate the activation code generated in the User Portal. Here are links for installing the User
    Portal and Mobile App Web Service.
    https://msdn.microsoft.com/en-us/library/azure/dn394290.aspx
    https://msdn.microsoft.com/en-us/library/azure/dn394277.aspx?f=255&MSPPError=-2147217396

  • DirSync and Multi-Factor Authentication Server

    Can DirSync and Multi-Factor Authentication Server be installed on the same server?
    If so would there be any security issues?

    Hi,
    Thanks for posting here!
    There are no known caveats with it but its not a combination we recommend for or against.
    That said, our standard guidance is to put different roles on different machines if resources are available.
    If you are running into any issues, please let us know.
    Hope this helps!
    Regards,
    Sadiqh
    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.

  • With Multi-Factor Authentication ENABLED how can a admin connect remotely to manage Office 365 with PowerShell

    With Multi-Factor Authentication ENABLED how can office 365 admin connect remotely to manage Office 365 with Power-Shell ?
    When I key-in my credentials, auth fails with invalid username and password ?
    Does any know the procedure ?

    This question was closed over a year ago.   You will  need to start a new question.  You can post a link back here if you think it helps.
    I also recommend asking in the O365 developers forum for how to do bulk license upgrades.  You can use the answer here and just remove and then add the new license. 
    ¯\_(ツ)_/¯

  • How can I implement  Multi Factor authentication with IAM products?

    Hi I would like to implement multi factor authentication that can be made generic with all IAM produts. Can anyone suggest an MFA factor like that? It shudnt be an add on or plug in. Instead it should be an in built feature. Can anyone suggest any idea?

    Opensso has such feature built-in. You can create an authentication chain in which you can add as many authentication mechanisms as you need.
    Although it is a built-in feature, there's no full support for all sorts of authentication methods. Some of them exist as plugins, like authentication modules for smart cards and biometrics because they are not sold by Sun Microsystems. However, there's a solution for you requrement even tough you might add some auth modules as plugins like biobex, activcard or auth modules from other vendors.
    Regards.

  • Multi-Factor Authentication desktop app?

    Is there a desktop app (Win 7/8) for authenticating against Azure Multi-Factor?  I've currently got a MFA provider spun up in Azure and the server installed on prem.  We are currently testing with it for two factor authentication to an RDS deployment
    and it seems to work well.  So far I've used both the phone call and text authentication methods and I'm working on getting the mobile app piece to work. 
    We do have some instances though where users my not have dedicated cell phones.  Is there an app that can be installed on the desktop and works with the Azure MFA that will allow them to two factor auth?  Perhaps allowing them to use a known pin
    to generate a one time passcode?
    Thanks

    No, there isn't one. There *might* be one coming with windows 10 and universal apps, but then again, being able to just use an app on the PC you are accessing the resource from kinda negates the whole value of the additional auth Factor.
    MFA is not limited to mobile phones only, use a regular one if needed. Or even an OATH token. Lastly, you can always fallback to the security questions, since you have the MFA server.

  • Multi-factor Authentication?

    Multi-factor authentication will soon be mandatory for
    several of my applications. I need to know if CF has any built-in
    functionality, either stock or via custom tags, to handle any of
    the common multi-factor tools. How are other people handling this?
    :-)

    Huh, i'm sorry, I found the answer just after the questioning... :)
    Known Issues:
    * Windows Authentication for Terminal Services is still not supported for
    Windows Server 2012 R2From:https://pfweb.phonefactor.net/install/6.3.0.17465/release_notes.txt
    www.sccmfaq.ch

  • Dir Sync is not syncing On-premises AD user Password with Windows Azure AD (Office365)

    Hi All,
    I have one situation to sync on-premises AD user and their password with Windows Azure AD. Following is the detailed scenario:
    I have one parent Domain : parent.edu and other is child domain : child.parent.edu
    I am moving Child domain users into office365. I am using Dir Sync with Password sync approach to achieve this. My dir Sync server belongs to parent domain. I have followed all guidelines step-by-step to sync user and Password with office365.
    I am successfully able to sync Users to office365 but unable to sync on -premises passwords. When i am trying to run profiles event viewer is showing following error:
    Please suggest !!!!!
    Thanks~ Giriraj Singh Bhamu

    Have you seen this two:
    http://social.technet.microsoft.com/Forums/en-US/4e07658b-420c-4c95-bcc6-70c16176128a/password-sync-has-stopped-working
    and
    http://community.office365.com/en-us/forums/156/t/172670.aspx
    It seems your are not the only one which this Problem can occur. Have you had a Domain rename? And is the replication in the forest ok?
    www.sccmfaq.ch

  • Bypassing OAAM multi-factor authentication

    Hello
    In our project we found an interesting case where it is possible to bypass multi-factor authentication provided by OAM and OAAM. It can also work for a custom multi-factor login application which is integrated with OAM using the Access SDK.
    If you integrate OAM and OAAM as officially described in
    http://download.oracle.com/docs/cd/E12057_01/doc.1014/e12052/igoam.htm#BABBJACH
    you basically have one form authentication scheme which redirects a user to OAAM when trying to access a protected resource. The user enters username/password in OAAM which is send to OAM using the AccessSDK and validated by the authentiction scheme in OAM.
    From the point of view of OAM the authentication is completed and OAAM receives the ObSSOCookie. OAAM does not return the cookie to the user but continues with additional authencation steps such as secret questions, fingerprints, etc. If all goes well OAAM returns the ObSSOCooki to the user and he is able to access the protected resource.
    The bypass:
    OAM has a nice feature (I call it security bug) which allows a user to add authentication credentials as parameters to the URL when accessing a resource. E.g. a user accessing a protected resource such as app.domain.com can simply enter https://app.domain.com?username=xxx&password=xxx and is automatically authenticated provided the username/password parameters and values are correct. By automatically authenticated I mean that there is no redirection to the login form. The authentication credentials are passed by OAM internally to the authentication scheme. There is no post action being sent and intercepted.
    Why is this bad? If you are using OAAM as a multi-factor login application passing username/password as URL parameters will not involve OAAM at all. From the point of view of OAM a user is authenticated and there is no need to challenge him with OAAM. No matter what additional authentication factors are configured for OAAM, the authentication process is reduced to one factor (username/passwrod).
    Any thoughts on this. I am mostly interested in ideas and approaches to fix this issue.
    Regards, Donat

    Hello Steve
    Bypassing OAAM works with the latest 10g release of OAAM and OAM and the architecture described in the Oracle documentation
    http://download.oracle.com/docs/cd/E12057_01/doc.1014/e12052/igoam.htm#BABBJACH
    Any toughts on this issue?
    Regards,
    Donat

  • IP Ranges for use with On-Premeses Azure Mult-Factor Auth

    Anyone know where MS publishes an up to date list of IP ranges of POPs for use with on-premises Azure Muti-factor Auth? I'm seeing some issues and firewall logs show connections are going to IPs not currently in the last list of IP ranges we received from
    MS (late last year).

    The 204.13.12x.xx addresses above are no longer used. Also, the list above is missing
    134.170.116.72/29.
    For those using event confirmation features or doing mobile app authentications with devices that are on the corporate network, the ranges need to be a little wider:
    157.55.242.0/25
    208.68.140.0/25
    134.170.116.0/25
    134.170.165.0/25
    These are subject to change as the service expands to additional datacenters. It is best to use the following URLs if possible:
    css.phonefactor.net
    pfd.phonefactor.net
    pfd2.phonefactor.net

  • Windows Azure Mobile Services - Sql Server - prebuilt columns

    am I correct in assuming that tables for WAMS need to be created in the Azure management portal and have some columns precreated.  Once the table is created:
    is it ok to modify the columns in Visual Studio once the table has been created?
    Can i just create the necessary items on my own or do I need to go through the management portal all the time?
    How do i handle foreign keys and such between two tables?
    Wally
    MVP in ASP.NET - ASPInsider - Author - Otherwise I am a loser.

    hi Wally,
    Thanks for posting!
    >>is it ok to modify the columns in Visual Studio once the table has been created?
    yes, we could modify our sql database data on the latest version (Azure SDK 2.2 ). You could use VS 2013 and install SDK2.2 to view the data. At the same time, you will
    click Add Firewall Rule and a new rule will be automatically added for you.
    Please see the blog about this question (http://weblogs.asp.net/scottgu/archive/2013/10/22/windows-azure-announcing-release-of-windows-azure-sdk-2-2-with-lots-of-goodies.aspx
    >>Can i just create the necessary items on my own or do I need to go through the management portal all the time?
    The answer is yes . If you want to manage your SQL database by azure portal, you could find your database form
    "SQL Azure", and click the "Manage" to manage your DB. Like this image:
    >>How do i handle foreign keys and such between two tables?
    you could handle foreign such as using SQL. Refer to this page (http://stackoverflow.com/questions/48772/how-do-i-create-a-foreign-key-in-sql-server
    Hope it helps.
    Regards,
    Will
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • EAP with Windows 2000 client and IAS server

    Several messages on this site point to peole using EAP on a Windows 2000 client and authenticating against an IAS server. I am running an Aironet 350 AP and trying to setup my Windows 2000 clients to use EAP only and authenticate against a Windows 2000 AD forest via IAS. The access point and client are on the latest firmware and drivers (12.0 for AP). I have two basic questions.
    1. It is my understanding that by enabling Network-EAP as the only authenticaiton type that users will authenticate and then dynamic WEP keys will be used, greatly reducing the risks of compromised WEP keys while at the same time keeping the data encrypted.
    2. Does anyone have a quick HOW-TO or point-by-point list of how to configure the Windows 2000 client to authentication using the Network-EAP method? I am currently running into a situation where no matter what I configure on the client, the IAS server reports and error with "Reason: The authentication type is not supported on this system." I also noticed that the "Authentication-Type" and "EAP-Type" fields shown in the IAS messages in the Windows 2000 Event Viewer log have the value "<undetermined>". Has anyone else run into this?

    I'm having a similar problem. I'm trying to do PEAP and it appears that IAS is not handling the request properly. It keeps trying to log the user PEAP-##### in instead of setting up the TLS and then asking for Username, Pass, Domain. The IAS error message I'm getting is:
    User PEAP-00097CFCD901 was denied access.
    Fully-Qualified-User-Name = APPLY\PEAP-00097CFCD901
    NAS-IP-Address = 172.16.200.31
    NAS-Identifier = AP1
    Called-Station-Identifier = 004096570d87
    Calling-Station-Identifier = 00097cfcd901
    Client-Friendly-Name = WirelessAP
    Client-IP-Address = 172.16.200.31
    NAS-Port-Type = 19
    NAS-Port = 37
    Policy-Name =
    Authentication-Type = EAP
    EAP-Type =
    Reason-Code = 8
    Reason = The specified user does not exist.
    So if anybody has the needed settings for Win2k (SP3 and 802.1x patch) IAS it would be much appreciated.
    Ben
    Note: if I had PEAP-####### as a user in Win2k I get:
    User PEAP-00097CFCD901 was denied access.
    Fully-Qualified-User-Name = apply.org/Users/PEAP TEST
    NAS-IP-Address = 172.16.200.31
    NAS-Identifier = AP1
    Called-Station-Identifier = 004096570d87
    Calling-Station-Identifier = 00097cfcd901
    Client-Friendly-Name = WirelessAP
    Client-IP-Address = 172.16.200.31
    NAS-Port-Type = 19
    NAS-Port = 37
    Policy-Name = Wireless Policy
    Authentication-Type = EAP
    EAP-Type =
    Reason-Code = 16
    Reason = There was an authentication failure because of an unknown user name or a bad password.

  • Problem with Windows Azure Management Portal

    IS there any issue with accessing all services  of Management portal, for last couple of days I am getting message - Unable to get required information for the services (Especially for Virtual Machines)

    Hi,
    Windows Azure Manage portal runs well on my site, from my experience, there may be something wrong on your site, I found a similar thread, hope it helps, the thread link is:
    http://social.msdn.microsoft.com/Forums/windowsazure/en-us/844c511d-09a8-497e-a88c-f3e5b7eb075e/new-management-portal-not-seen-in-ie10?forum=windowsazuremanagement
    Best Regards
    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click
    HERE to participate the survey.

  • Two-factor / Multi-factor authentication for Sites login

    Hi All,
    Would like to know if any one have implemented the two-factor authentication for Sites login ( Admin / Contributor Interface ),
    It will be really helpful if you could share any ideas on this.
    Regards,
    Anoop.

    I haven't seen any before for Sites.
    But I guess if You use OAM for the access, you could create something like the described in:  Integrating the RSA SecurID Authentication Plug-In -
    I haven't tried myself, but maybe that integration with RSA SecurID plugin helps you.
    Regards,
    Guillermo.

Maybe you are looking for

  • Cannot create the internet website in 1024x768 on Tecra A9

    This is my problem. I've always worked on a Toshiba Satellite laptop with a square screen (75" wide). The resolution is set at 1024 x 768 ( the maximum) . +On this format I based all lay-out applications for my wordpress weblog; font size and picture

  • Xcelcius 2008 - Dual Axis Graph Mouse Over Display

    I am working on a dual-axis graph where one value is a percentage and another is numeric. I am having an issue where I cannot format the hovers into multiple formats (i.e. one as numeric, the other as a percentage). In the graph properties I only see

  • TS1717 i can't open iTunes. error 1712. please help

    i can't open iTunes. error 1712. please help

  • Refined edge tool is not working

    My refined edge tool stopped working. Before that it worked fine. Suddenly did not work. The magnifying glass and view dropped down window work, but none of the sliders do anything when moved. I've re-set the tool, and re-set all tools, still does no

  • Is font packs necessary?

    I haven't installed any font packs on my machine; however, I can view Chinese in adobe reader. Anyone know when I should install a font pack? And actually what does a font pack do? Thanks.