Share via

NPS Extension for Azure MFA - The key was not found

Michel G 0 Reputation points
2024-10-21T15:05:14.8833333+00:00

Dear all,

We're trying to implement Entra/Azure MFA for RDGateway. We've installed the NPS MFA extensions, and configured everything as instructed by the official documentation. When a user tries to sign in through the RDGW we're seeing the below error message in the eventlog in the Microsoft-AzureMfa-AuthZ/AuthZAdminCh log:

NPS Extension for Azure MFA: CID: xxxx :Exception in Authentication Ext for User xxxx\testuser :: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Unable to get Azure AD access token. [Reason:AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Thumbprint of key used by client: 'xxxx', Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id 'xxxx'. Review the documentation at https://docs.microsoft.com/en-us/graph/deployments to determine the corresponding service endpoint and https://docs.microsoft.com/en-us/graph/api/application-get?view=graph-rest-1.0&tabs=http to build a query request URL, such as 'https://graph.microsoft.com/beta/applications/xxx']. Alternatively, SNI may be configured on the app. Please ensure that client assertion is being sent with the x5c claim in the JWT header using MSAL's WithSendX5C() method so that Azure Active Directory can validate the certificate being used. Trace ID: 0f2b94d8-58de-40fa-93d7-c7a4232c0600 Correlation ID: xxx Timestamp: 2024-10-21 14:57:52Z][Code:3399614473] Enter ERROR_CODE @ https://go.microsoft.com/fwlink/?linkid=846827 for detailed troubleshooting steps.

Kindly please advice how to proceed to relieve this. Thank you.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,221 questions
Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,599 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,093 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 7,750 Reputation points Microsoft Vendor
    2024-11-01T07:05:31.93+00:00

    Hello @Michel G,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, it appears you’ve installed the NPS extension for Microsoft Entra multifactor authentication on your NPS Server, but users receive an error when attempting to log in: “The certificate with identifier used to sign the client assertion is not registered on application.” This likely indicates that the NPS deployment did not register the certificate in Azure for the application with App ID 981f26a1-7f43-403b-a875-f8b09b8cd720 (Azure Multi-Factor Auth Client).

    To confirm if the client certificate is associated with your tenant in Microsoft Entra ID, you can run the following PowerShell commands:

    Connect-MgGraph -Scopes 'Application.Read.All'
(Get-MgServicePrincipal -Filter "appid eq '981f26a1-7f43-403b-a875-f8b09b8cd720'" -Property "KeyCredentials").KeyCredentials | Format-List KeyId, DisplayName, StartDateTime, EndDateTime, @{Name = "Key"; Expression = {[System.Convert]::ToBase64String($.Key)}}, @{Name = "Thumbprint"; Expression = {$Cert = New-object System.Security.Cryptography.X509Certificates.X509Certificate2; $Cert.Import([System.Text.Encoding]::UTF8.GetBytes([System.Convert]::ToBase64String($.Key))); $Cert.Thumbprint}}

    How can I verify that my client certificate is associated to my tenant in Microsoft Entra ID

    Alternatively, you can use the Graph Explorer to retrieve this information. Make sure to consent to the “Application.Read.All” scope before running the following Graph query:

    GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=startswith(displayName, 'Azure Multi-Factor Auth Client')&$count=true&$top=1&$orderby=displayName

    User's image

    After executing this, check the keyCredentials property to see if the certificate thumbprint matches.

    Verify that the self-signed client certificate is installed as expected in the NPS Server's Personal Certificate store, that the private key is present and that the Network Service account has Read access to the private key.

    1. Open certlm.msc and expand Personal\Certificates
    2. A certificate with a Subject Name of the "CN=<TenantID>,OU = Microsoft NPS Extension" in the local machine's certificate store
    3. Verify NETWORK SERVICE has Read access to the private key.
    4. Make note of the "Valid from" and "Valid to" fields of the certificate Details

    KeyAccess2

    If nothings helps, I recommend to re-run the PowerShell script again .\AzureMfaNpsExtnConfigSetup.ps1

    Run the PowerShell script

    Make sure that the ServicePrincipal for the Azure Multi-Factor Auth Client service is enabled

    User's image

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.