{"id":408,"date":"2023-06-29T11:33:12","date_gmt":"2023-06-29T03:33:12","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=408"},"modified":"2023-08-31T01:51:20","modified_gmt":"2023-08-30T17:51:20","slug":"common-nps-extension-authentication-flow-vpn-rd-gateway","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/","title":{"rendered":"Common NPS Extension Authentication Flow (VPN & RD Gateway)"},"content":{"rendered":"\n

VPN with NPS MFA Extension Flow<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

1. User \/ VPN Client<\/strong> initiate the connection to VPN Server<\/strong><\/p>\n\n\n\n

2. The VPN Server<\/strong> receives requests from the VPN client<\/strong> and convert the request into a RADIUS<\/strong> to NPS Server<\/strong>.<\/p>\n\n\n\n

3. Both Primary Authentication<\/strong> and Secondary Authentication<\/strong> will happen accordingly<\/p>\n\n\n\n

Primary Auth: NPS Server<\/strong> will perform primary auth for the RADIUS request, against AD DS (Active Directory Domain Service)<\/p>\n\n\n\n

Secondary Auth:<\/strong> NPS MFA Extension<\/strong> triggers a request to Azure MFA<\/strong> for the Secondary Auth. In this stage, it converts the RADIUS request to REST<\/strong><\/a> and authenticate against the AAD tenant.<\/p>\n\n\n\n

4. Azure MFA<\/strong> identifies the default authentication method for the user and send the challenge.<\/p>\n\n\n\n

5. Azure MFA<\/strong> provides responses based on the user’s input. It generates a token that includes a trust assertion, relying on the fact that ESTS trusts anyone who trusts the token.<\/p>\n\n\n\n

6. NPS MFA Extension<\/strong> verifies the secondary authentication response from Azure MFA<\/strong>. Later it converts the response to a RADIUS and forwards it to NPS Server.<\/p>\n\n\n\n

7. NPS Server<\/strong> sends the converted the RADIUS <\/strong>Response to the VPN Server<\/strong><\/p>\n\n\n\n

8. VPN Server<\/strong> forwards the RADIUS response to the VPN Client<\/strong> and the connection completes.<\/p>\n\n\n\n

RD Gateway Sever with NPS MFA Extension Flow<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n

1. User \/ RDP Client<\/strong> initiate the connection to Remote Desktop Gateway Server<\/strong><\/p>\n\n\n\n

2. The RD Gateway server<\/strong> converts the request into a RADIUS<\/strong> Access-Request<\/span><\/strong> Message and sends the message to the RADIUS Server (Central NPS Server with MFA extension<\/strong>).<\/p>\n\n\n\n

3. Both Primary Authentication<\/strong> and Secondary Authentication<\/strong> will happen accordingly<\/p>\n\n\n\n

Primary Auth: NPS Server<\/strong> will perform primary auth for the RADIUS request, against AD DS (Active Directory Domain Service)<\/p>\n\n\n\n

Secondary Auth:<\/strong> NPS MFA Extension<\/strong> triggers a request to Azure MFA<\/strong> for the Secondary Auth. In this stage, it converts the RADIUS request to REST<\/strong><\/a> and authenticate against the AAD tenant.<\/p>\n\n\n\n

4. Azure MFA<\/strong> identifies the default authentication method for the user and send the challenge.<\/p>\n\n\n\n

5. Azure MFA<\/strong> provides responses based on the user’s input. It generates a token that includes a trust assertion, relying on the fact that ESTS trusts anyone who trusts the token.<\/p>\n\n\n\n

6. NPS MFA Extension<\/strong> verifies the secondary authentication response from Azure MFA<\/strong>. <\/p>\n\n\n\n

7. Central<\/strong> NPS Server<\/strong> sends a RADIUS<\/strong> Access-Accept<\/span><\/strong> message <\/strong>for the RD CAP policy to the Remote Desktop Gateway Server<\/strong><\/p>\n\n\n\n

8. VPN Server<\/strong> forwards the RADIUS response to the VPN Client<\/strong> and the connection completes.<\/p>\n\n\n\n

How does NPS Extension converts the RADIUS Request to REST? How the extension authenticates against AAD tenant?<\/h2>\n\n\n\n

1. During the process, a client certificate is utilized, which is typically a self-signed certificate. The creation of this certificate takes place when the NPS Extension setup scripts are executed.<\/p>\n\n\n\n

* Certificate Subject Name “CN=<TenantID>, OU = Microsoft NPS Extension”<\/strong><\/em>. It stored in the certificate local machine store.<\/p>\n\n\n\n

2. The process involves the participation of the AAD MFA Service Principal.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

* SPN Name Azure Multi-Factor Auth Client<\/em><\/strong>, Applicaiton ID 981f26a1-7f43-403b-a875-f8b09b8cd720<\/em><\/strong><\/p>\n\n\n\n

3. Azure STS verifies the extension credentials and issues a token to the NPS Extension<\/p>\n\n\n\n

* login.microsoftonline.com<\/p>\n\n\n\n

4. Extension passed a REST call to Azure cloud-based MFA using the token issued by ESTS<\/p>\n","protected":false},"excerpt":{"rendered":"

VPN with NPS MFA Extension Flow 1. User \/ VPN Client initiate the connection to VPN Server 2. The VPN Server receives requests from the VPN client and convert the request into a RADIUS to NPS Server. 3. Both Primary Authentication and Secondary Authentication will happen accordingly Primary Auth: NPS Server will perform primary auth […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[41],"tags":[],"class_list":["post-408","post","type-post","status-publish","format-standard","hentry","category-mfa-nps-extension"],"yoast_head":"\nCommon NPS Extension Authentication Flow (VPN & RD Gateway) - \u6781\u7b80IT\uff5cSimpleIT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Common NPS Extension Authentication Flow (VPN & RD Gateway) - \u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"og:description\" content=\"VPN with NPS MFA Extension Flow 1. User \/ VPN Client initiate the connection to VPN Server 2. The VPN Server receives requests from the VPN client and convert the request into a RADIUS to NPS Server. 3. Both Primary Authentication and Secondary Authentication will happen accordingly Primary Auth: NPS Server will perform primary auth […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/\" \/>\n<meta property=\"og:site_name\" content=\"\u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"article:published_time\" content=\"2023-06-29T03:33:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-30T17:51:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-78.png\" \/>\n<meta name=\"author\" content=\"Ruian Ding\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ruian Ding\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/\"},\"author\":{\"name\":\"Ruian Ding\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"headline\":\"Common NPS Extension Authentication Flow (VPN & RD Gateway)\",\"datePublished\":\"2023-06-29T03:33:12+00:00\",\"dateModified\":\"2023-08-30T17:51:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/\"},\"wordCount\":516,\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-78.png\",\"articleSection\":[\"NPS Extension\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/\",\"name\":\"Common NPS Extension Authentication Flow (VPN & RD Gateway) - \u6781\u7b80IT\uff5cSimpleIT\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-78.png\",\"datePublished\":\"2023-06-29T03:33:12+00:00\",\"dateModified\":\"2023-08-30T17:51:20+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#primaryimage\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-78.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-78.png\",\"width\":1098,\"height\":613},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ruianding.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Common NPS Extension Authentication Flow (VPN & RD Gateway)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\",\"url\":\"https:\/\/www.ruianding.com\/blog\/\",\"name\":\"Ruian's Tech Troubleshooting Toolbox\",\"description\":\"Debug the World.\",\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"alternateName\":\"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\",\"name\":\"Ruian Ding\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"width\":284,\"height\":284,\"caption\":\"Ruian Ding\"},\"logo\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.\",\"sameAs\":[\"https:\/\/www.ruianding.com\"],\"url\":\"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Common NPS Extension Authentication Flow (VPN & RD Gateway) - \u6781\u7b80IT\uff5cSimpleIT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/","og_locale":"en_US","og_type":"article","og_title":"Common NPS Extension Authentication Flow (VPN & RD Gateway) - \u6781\u7b80IT\uff5cSimpleIT","og_description":"VPN with NPS MFA Extension Flow 1. User \/ VPN Client initiate the connection to VPN Server 2. The VPN Server receives requests from the VPN client and convert the request into a RADIUS to NPS Server. 3. Both Primary Authentication and Secondary Authentication will happen accordingly Primary Auth: NPS Server will perform primary auth […]","og_url":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/","og_site_name":"\u6781\u7b80IT\uff5cSimpleIT","article_published_time":"2023-06-29T03:33:12+00:00","article_modified_time":"2023-08-30T17:51:20+00:00","og_image":[{"url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-78.png","type":"","width":"","height":""}],"author":"Ruian Ding","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ruian Ding","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#article","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/"},"author":{"name":"Ruian Ding","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"headline":"Common NPS Extension Authentication Flow (VPN & RD Gateway)","datePublished":"2023-06-29T03:33:12+00:00","dateModified":"2023-08-30T17:51:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/"},"wordCount":516,"publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-78.png","articleSection":["NPS Extension"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/","url":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/","name":"Common NPS Extension Authentication Flow (VPN & RD Gateway) - \u6781\u7b80IT\uff5cSimpleIT","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#primaryimage"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-78.png","datePublished":"2023-06-29T03:33:12+00:00","dateModified":"2023-08-30T17:51:20+00:00","breadcrumb":{"@id":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#primaryimage","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-78.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-78.png","width":1098,"height":613},{"@type":"BreadcrumbList","@id":"https:\/\/www.ruianding.com\/blog\/common-nps-extension-authentication-flow-vpn-rd-gateway\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ruianding.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Common NPS Extension Authentication Flow (VPN & RD Gateway)"}]},{"@type":"WebSite","@id":"https:\/\/www.ruianding.com\/blog\/#website","url":"https:\/\/www.ruianding.com\/blog\/","name":"Ruian's Tech Troubleshooting Toolbox","description":"Debug the World.","publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"alternateName":"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b","name":"Ruian Ding","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","width":284,"height":284,"caption":"Ruian Ding"},"logo":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/"},"description":"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.","sameAs":["https:\/\/www.ruianding.com"],"url":"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/408","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/comments?post=408"}],"version-history":[{"count":5,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/408\/revisions"}],"predecessor-version":[{"id":421,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/408\/revisions\/421"}],"wp:attachment":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/media?parent=408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/categories?post=408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/tags?post=408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}