Share via

Latency for getting Azure MFA through NPS (Reason Code : 10 The request was discarded because an extension dll crashed or malfunctioned)

Parshwa Amitkumar Shah 1 Reputation point
2020-06-15T12:36:44.94+00:00

I have users login into FortiGate VPN with Azure MFA authentication, the configuration is done using NPS component and it was working fine for couple of weeks today suddenly the users were facing latency of 1 - 2 mins in receiving MFA push and call notification on MS authenticator app, also they receive multiple notification challenges in MS authenticator app by accepting the challenge user is able to login inside.

Ping response between fortigate VPN and Azure NPS server is efficient.

When checked in Event viewer got below message:

User:
Security ID: NULL SID
Account Name: -
Account Domain: -
Fully Qualified Account Name: -

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -

NAS:
NAS IPv4 Address: -
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -

RADIUS Client:
Client Friendly Name: RD Gateway
Client IP Address: xxx.xxx.xxx.xxx

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: -
Authentication Provider: -
Authentication Server: xxxx.xx.xxxxx.com
Authentication Type: -
EAP Type: -
Account Session Identifier: 00000001
Reason Code: 10
Reason: The request was discarded because an extension dll crashed or malfunctioned.

Request to resolve this issue or provide steps to troubleshoot for the same.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,964 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,061 Reputation points Microsoft Employee
    2020-06-15T20:39:42.223+00:00

    Hi @ParshwaAmitkumarShah-5758 ,

    I've gotten this error for a variety of reasons while using the NPS extension so I'll give several things to try.

    1. It's possible that the request is timing out too soon. In that case, make sure that it's set to at least 60 seconds to give enough time for the request to succeed. 9937-radiustimeout.png
    2. Make sure you have the latest version of the extension installed. Older versions sometimes threw that DLL error. https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg#install-the-nps-extension
    3. Make sure that there aren't any duplicate or old certificates on the server.

    You can check using:

    Get-MsolServicePrincipalCredential -AppPrincipalId "app-principal-id" -ReturnKeyValues 1

    Then you can remove duplicates using:

    Remove-MsolServicePrincipalCredential -AppPrincipalId "app-principal-id" -KeyIds <enterkeyidhere>

    See also the related discussion: https://www.reddit.com/r/AZURE/comments/a0qp5p/azure_mfa_nps_extension_for_rdgateway/

    If you're still having this issue feel free to send your event logs to me at AzCommunity@microsoft.com and I can help troubleshoot.

    Thanks!

    Marilee

    0 comments
  2. Parshwa Amitkumar Shah 1 Reputation point
    2020-06-16T07:09:11.613+00:00

    Thank you @MarileeTurscak for your answer;

    I forgot to mention we also observed in taskbar some process known as "com surrogate" was utilizing the 98% CPU on NPS server because of which we killed the process and restarted the NPS server and the issue got resolved. But again today we are facing the same latency in getting the push and call notification today.

    As prescribed by you we will install the latest version of NPS extension and make sure there are no duplicate or old certificates on the server.

    If the issue still persists we will send the Event logs to you.

    0 comments
  3. Parshwa Amitkumar Shah 1 Reputation point
    2020-06-16T13:44:36.28+00:00

    Hey @MarileeTurscak

    I think the issue is caused due to "com surrogate" process which is taking CPU utilization to 98% and because of which Windows is not able to run any processes.

    Can you please provide me a fix how to deal with high CPU utilization caused by "com surrogate" process.

    Your help in this is highly recommended.

    0 comments
  4. Marilee Turscak-MSFT 37,061 Reputation points Microsoft Employee
    2020-06-16T17:53:33.083+00:00

    Hi @ParshwaAmitkumarShah-5758 ,

    I have seen this happen if there are firewalls in place that run retry services for the RADIUS and over time cause a CPU spike. If the RADIUS auth is retrying frequently (like every 5 or 6 seconds) this can cause the spike.

    To isolate the issue, try stopping the firewall service and restarting the MFA service.

    (Also, it seems like you have already done this, but make sure that you don't have any expired certificates as I've seen this cause this problem before as well.)

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.