NPS extension for Azure MFA + Renew a certificate + Alternative way
My certificate for NPS Azure MFA was expired but I couldn’t renew it with the integrated script because there was a problem with a connection to Azure from a command line. Connect-MSonline and Connect-MgGraph were interrupted with an error: Something went wrong. I have another server and it works on it. I’ve decided to generate a new certificate from this server.
- Delete all the old certificates for NPS Azure MFA.
- Install the latest NPS extension.
- Export the registry part from a NPS server: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa
- Import the registry to the working server.
- Copy the script from “C:\Program Files\Microsoft\AzureMfa\Config\AzureMfaNpsExtnConfigSetup.ps1” somewhere to the working server.
- Copy C:\Program Files\WindowsPowerShell\Modules\AzureMfaClientCertProvider from the NPS to the same place on the working server.
- Run AzureMfaNpsExtnConfigSetup.ps1 on the working server. It will generate a new self-signed certificate and upload it to Azure.
- Run certlm.msc and export the certificate with the key.
- Import the certificate to NPS server.
- Get the thumbprint for this certificate: Get-ChildItem Cert:\LocalMachine\My
- Get the key container for the certificate: certutil -v -store My <your thumbprint>
- Go to: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys and find the container.
- Open Properties and on the Security tab grant READ access for NETWORK SERVICE.
- Open registry Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa and create a string parameter: OVERRIDE_NUMBER_MATCHING_WITH_OTP with the value FALSE
- Restart NPS service or even the server.
Some useful links:
https://github.com/unscrpt/azuremfanps
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension
https://www.microsoft.com/en-us/download/details.aspx?id=54688
Experiment: Windows RRAS + Always on VPN + External DHCP Microsoft.Graph doesn’t work + Something went wrong
Comments are currently closed.