Use Azure MFA With Microsoft NPS (RADIUS) Server

 

KB ID 0001759

Problem

I was in a forum last week and someone asked, “Can I enable Azure MFA, on my RADIUS server, to secure access to my switches and routers etc”. It turns out if you want to enable Azure MFA with Microsoft NPS it’s actually quite  simple.

So, I’m using RADIUS auth (above) on my NPS server, and it’s simply checking the authenticating user is a member of a domain security group. Once it has satisfied that requirement, it will authenticate against my Azure AD, which will trigger an MFA event, (in my case send a request to the Microsoft Authenticator Application on my Android Phone).

Azure MFA With Microsoft NPS Pre-Requisites

The remote user needs EITHER an Azure P1 License, or a Microsoft 365 license. 

“But I can use the Authenticator App with my Office 365 subscription?”

Well yes you can, but we are not authenticating to office 365 are we?

Below you can prove the licence is allocated in Office 365

And the same in Azure AD.

Now your user needs to have MFA enabled, (this should be pretty obvious), to use the Microsoft authenticator application the USER chooses that method of authentication, when you enable MFA for them (the first time they login). You can re-force that, from the following screen if you wish.

Azure MFA With Microsoft NPS: Deploying NPS

So I’ve pretty much covered this half a dozen times before, but for completeness I’ll quickly run though setting up NPS / NPAS. The quickest simplest method is to use PowerShell.

[box]

Install-WindowsFeature NPAS -IncludeManagmentTools

[/box]

From administrative tools open > Network Policy Server >Right click (Top Level) > Register Server in Active Directory  > OK > OK

Execute the following PowerShell command to create a registry key

[box]

New-Item 'HKLM:\SOFTWARE\Microsoft\AzureMfa' -Force | New-ItemProperty -Name REQUIRE_USER_MATCH -Value TRUE -Force | Out-Null

[/box]

Enable NPS RADIUS on Windows Firewall

Now for some reason installing NPS does not open the correct ports on the Windows Firewall? So issue the following command;

[box]

Get-NetFirewallRule -DisplayGroup "Network Policy Server" | where DisplayName -like "*RADIUS*" | Set-NetFirewallRule -Service Any

[/box]

Azure MFA With Microsoft NPS: Domain (on Premises and Azure AD)

You will need to know what your Azure Tenant ID is, keep a copy of this handy either in notepad or on the clipboard because you will need it in a minute.

Below you can see I’ve got my domain user, their remote access (Dial In Tab) is set to control access though policy, and I’ve placed them in a security group called SG-Azure-MFA.

Configure NPS for RADIUS Access

Note: You may already have this configured, if so please skip to the next section.

The first task is to define the RADIUS CLIENT, in my case it will be a Cisco firewall, yours could be any device that requires RADIUS authentication. Locate REDIUS Clients  > New > Provide a ‘Friendly Name’ (REMEMBER WHAT IT IS) > Enter its IP address > Then provide and confirm a shared secret (think of it like a password, you will need to add this to the radius clients config) > OK

Policies > Network Policies > New > Give it a sensible name > Next.

Add in a ‘Condition‘ for User Group, then add in the user group you created/used above.

Add in another ‘Condition‘ > Set the friendly name to the one you used when you created your RADIUS client.

Accepts all the defaults until you get to Configure Authentication Methods > Tick ‘Unencrypted Authentication (PAP, SPAP)’> Click yes if you want to read the warning > Next > Accept all the defaults from this point forward.

Enable Azure MFA With Microsoft NPS

Download the ‘NPS Extension For Azure MFA‘ software form Microsoft, and install it on your NPS server.

To actually enable it against your Azure AD, Execute the following PowerShell commands;

[box]

cd "c:\Program Files\Microsoft\AzureMfa\Config"
.\AzureMfaNpsExtnConfigSetup.ps1

[/box]

Eventually you will be asked to authenticate to Azure, do so with an administrative account.

You will be asked to provide your Azure Tennant ID.

When complete REBOOT THE NPS SERVER!

Testing Azure MFA With NPS

Again for Cisco ASA I’ve already blogged about this, but for completeness here’s me making sure it works;

Remember to RAISE the RADIUS timeout, by default its 10 seconds, I raised it to 30 seconds.

And on my phone I get prompted to allow

 

Authentication successful!

Troubleshooting (NPS Azure MFA Not Working)

Event ID 6274: The Request Was Discarded by a third-party extension DLL file. 

This happens when the user you are authenticating does not have the correct license in Azure (or you have just allocated the license and have not waited for a while).

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 16:42:58
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			PNL\tanya.long
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	pnl.com/PNL/Users/Tanya Long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			6

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		NP-Azure-MFA
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		PAP
	EAP Type:			-
	Account Session Identifier:		-
	Reason Code:			9
	Reason:				The request was discarded by a third-party extension DLL file.

[/box]

Event ID 6273: An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection

In my case I had re-install the NPS Azure extension.

Full Error

[box]

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/07/2021 17:24:39
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      PKI-02.pnl.com
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			tanya.long
	Account Domain:			PNL
	Fully Qualified Account Name:	PNL\tanya.long

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	Called Station Identifier:		-
	Calling Station Identifier:		-

NAS:
	NAS IPv4 Address:		192.168.254.254
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Virtual
	NAS Port:			10

RADIUS Client:
	Client Friendly Name:		Firewall
	Client IP Address:			192.168.254.254

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		PKI-02.pnl.com
	Authentication Type:		Extension
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			21
	Reason:				An NPS extension dynamic link library (DLL) that is installed on the NPS server rejected the connection request.

[/box]

 

Related Articles, References, Credits, or External Links

NA

Sysprep Was Unable to Validate

KB ID 0001535

Problem

While building a new Windows 10 machine to be used as a template, I ran Sysprep to generalise the installation, and got this;

Sysprep was not able to validate your Windows Installation.
Review the log file at
%WINDIR%\System32\Sysprep\Panther\setupact.log for
details. After resolving the issue, use Sysprep to validate yout
Installation again.

Solution

What I did was Google the error, instead of looking at the log file, and read a post that said this can happen if the reference machine has not been activated, and went down a blind alley because THATS NOT TRUE of course you can generalise a newly deployed ‘non-activated’ reference machine.

When I finally read the error log, I found the following;

[box]

Package Microsoft.LanguageExperiencePacken-GB_17763.6.14.0_neutral__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
Failed to remove apps for the current user: 0x80073cf2
Exit code of RemoveAllApps thread was 0x3cf2.

[/box]

This problem is being caused by an app, (Windows has suffered with this since Windows 8!) I’ve highlighted the app name above, yours may have a different name, but the fix is the same. We need to remove that app, and stop Windows connecting to the internet to install more app shenanigans!

Disconnect the reference machine from the internet by disconnecting its NIC, (below I’m using a VMware VM).

Run a PowerShell window, (as Administrator) and execute the following command, (obviously use the name of your offending app rather than mine if it’s different!).

[box]

Get-AppxPackage –Name *LanguageExperience* | Remove-AppxPackage

[/box]

Then you should be able to run Sysprep successfully. 

DON’T FORGET to reconnect the NIC if you are creating a template, once the machine has shut down.

Related Articles, References, Credits, or External Links

NA

PowerShell Web Access

KB ID 0001036

Problem

One of my goals for this year is to become more proficient with PowerShell. During my studies I came across PowerShell Web access and thought it was so cool, I’d have a play with it.

What is PowerShell Web Access?

It’s a web service that runs on a Server 2012 IIS web server. It lets you remote connect to that host (via https) and then launch a PowerShell secure connection to any machine in your network. So by deploying a secure bastion host in your DMZ you can manage your infrastructure via PowerShell, you don’t even need to have PowerShell on your remote machine, (as demonstrated below) that machine does not even have to be Windows. It just needs a browser that can run JavaScript and can accept cookies.

You Expect Me to Open All My Servers To Remote Management?

In a word yes, in fact if you have server 2012 or newer they already are, and if you have not already enabled the Windows Remote Management Service, on your legacy machines, DO SO! If not all the modern domain management tools will gradually stop working. As far as Microsoft is concerned PowerShell is the tool that all the management tools will be built on.

In fact if you are a security conscious type, you probably already have domain services in your DMZ, think of this as a secure ‘reverse-proxy’, whose traffic is secured by SSL and Kerberos.

Solution

Setting Up PowerShell Remote Access

1. PowerShell web access is a ‘windows feature’ add it with the following command;

[box]

Add-WindowsFeature WindowsPowerShellWebAccess
[/box]

 

2. Now it’s available you can install it like so;

[box]

Install-PswaWebApplication

Note: My Target server is already running IIS and has a certificate binding for https, yours probably does not, if so generate a self signed certificate and assign it like so;

Install-PswaWebApplication –UseTestCertificate

Obviously in production replace this certificate with either a publicly signed one, or one form your own PKI environment.

[/box]

3. Now you need to allow access, the following allows all users to all machines to do everything (Note: I would not recommend this for a production environment, see next step).

[box]Add-PswaAuthorizationRule * * *[/box]

4. As I said above, lets be a little more secure, I’ve created a computer group, for my target computers, and a user group for my remote PowerShell admins. As above, I’ve not filtered what the users can do, you could give granular remote access to different levels of administrative groups using this, if that’s a requirement see this article.

[box]

Add-PswaAuthorizationRule -ComputerGroupName petenetlivePSComputers -UserGroupName petenetlivePSAdmins -ConfigutationName *

[/box]

5. So now if you connect to the server over https, (it creates a virtual directory called pswa) so we will need to go to https://{ip address or hostname}/pswa.

PowerShell Web Access – It Doesn’t Work!

If at this point there’s a problem, ensure the server and the client you are trying to connect to have comms, (can they ping each other by name and IP). Most importantly the machine you need to connect to needs to have WinRM running and its firewall configuring properly.

Configure Windows Remote Management for a Single Host

From an elevated command prompt execute the following command and follow the on-screen prompts;

[box]WinRM QuickConfig [/box]

Configure Windows Remote Management via Group Policy

A better approach would be to configure you hosts via GPO. You can find the correct GPO at;

[box]

Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service > Allow remote server management through WinRM
On Server 2008 R2 and older the policy will be called 'Allow automatic configuration of listeners'

[/box]

Enable the policy and select which networks you want to allow remote connections from, above I’ve simply used asterisks to denote ‘all addresses’.

Providing all is well, you should have PowerShell access.

 

PowerShell from an Apple IOS Device (iPad shown)

PowerShell from an Android Device (Samsung Note shown)

Related Articles, References, Credits, or External Links

NA

MAC OSX – Setting File Associations

KB ID 0001046

Problem

This started out as an article on simply ‘how to set file associations’ but when I tried to associate .jpg files with Photoshop it refused to work, (they stayed associated with the MAC Preview application).

Solution

1. Right click a file of the type you want to associate, (or cmd click if you don’t have right click enabled).

2. With the right click menu still on the screen press and hold the ‘options’ key. If like me your new to MAC that’s the key indicated below. At this point ‘Opens With’ changes to ‘Always Opens With’. Select the application that will be the new default application for that file type.

Unable to Associate a File Type / File Extension with Photoshop

This worked for me;

1. Right click (or cmd click) the file in question > Get Info.

4. Locate the ‘Opens with’ section and change it to the desired app (in this case Photoshop) > Change All.

5. Continue.

Related Articles, References, Credits, or External Links

NA