I'm having a real struggle getting the Azure MFA NPS extension to work on my new RD Gateway setup. While I can run RD Gateway without NPS, I've read mixed information about whether I need to have separate machines for these roles. Some say I can use one box as long as I configure the addresses correctly (like pointing to 127.0.0.1 or its local LAN address), while others, including Microsoft documentation, claim I must have at least three boxes—two for NPS servers and one for the RD Gateway. I'm currently facing an error from Azure MFA that mentions a missing Radius Identifier attribute. Despite the NPS extension apparently receiving the RADIUS requests, it's discarding them due to an unspecified Reason 9 in Event Viewer. I'm hoping to avoid adding yet another server since we already have VM sprawl. Am I stuck having to set up an additional server just to enable MFA for RD Gateway? Is there something I could be missing here?
2 Answers
You only need to have the RD Gateway and NPS roles on separate machines. A good setup would be to put NPS on your domain controller, although I get why you’d want to keep it clean and avoid runs on GUI. Just remember, those components haven’t seen updates since way back, so that’s part of the issue! Don't stress too much, separating these roles usually solves the issues you're encountering.
Yeah, it’s a bit of a headache with Azure MFA and NPS. I hear you about not wanting another VM, but unfortunately, Azure setup often means playing ball with these roles. If NPS is ditching requests, it’s usually because of that separation issue. You might want to consider the implications of running it on a DC, too, especially if you're aiming for a light server footprint.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures