Last week, I had a request from a customer that the MFA authentication suddenly stopped working. The customer then installed the latest NPS MFA extension and also ran the troubleshooting script for MFA, but nothing was found. In the end, he asked me for short-term support. A look at the MFA event log showed a critical error with: "CLIENT_CERT_IDENTIFIER" and thus a finger pointing to the local certificate on the NPS server. The certificate with the Azure tenant ID can be found in the personal certificate store, and this was still valid until one day before! A new certificate for the Azure Multi-Factor Auth Client must be generated, but how?
Here is the certificate and to be sure, the details for Issuer must contain: "OU= Microsoft NPS Extension".
The solution is to run the AzureMfaNpsExtnConfigSetup.ps1 script again, which creates a new certificate. This must be done every two years, as the private certificate is not valid for longer.
Case solved? No, because instead of an "Approve/Deny", a one-time password (OTP) was requested, which worked. However, the users are used to "Approve/Deny" and the customer wanted to have it that way again! The update of the NPS MFA extension by the customer resulted in Microsoft enforcing the OTP with the newer version! Fortunately, this can be reversed using a registry value. To achieve this, set the value OVERRIDE_NUMBER_MATCHING_WITH_OTP
to FALSE
, thus deactivating the forced OTP.
Case solved? Not quite because in Entra the status of the certificate expiration for the "Azure Multi-Factor Auth Client" was invalid! The problem is that the enterprise application "Azure Multi-Factor Auth Client" can have multiple certificates stored and if only one of the certificates has expired, then the status is invalid. So all invalid certificates must be deleted, but how? Via the Powershell command: Get-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -ReturnKeyValues 1
all certificates can be displayed. All expired certificates must then be deleted via the key ID. The Remove-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -KeyID "d8d60ffe-9991-4c05-960d-29c51a7d4540"
command then deletes the certificate with the specified KeyID. Once all certificates have been deleted, the status shows "Current".
This finally solved the support case for me, but remember that every two years the certificate must be renewed.