This week, one of my customers is switching to Azure multi-factor authentication as their only multi-factor authentication solution for their employees. As the organization leverages VMware Horizon, this implementation needs to be switched to Azure MFA as well.
Here’s how we secured their VMware Horizon implementation with Azure MFA through the Azure MFA NPS Extension:
Why use multi-factor authentication for Horizon?
Organizations face multiple challenges, including (but not limited to):
- tackling current consumer cloud adoption problems
- adhering to privacy regulations
- achieving productivity
User cloud adoption problems
Today’s cloud applications and services allow sign-ins with email addresses, as it’s currently the only truly global identifier for people. However, as cloud applications and services are breached, credential sets fall in the hands of malicious people. Though credential stuffing attacks, they will use these leaked credentials and try them on your organization’s public facing applications and services.
To adhere to privacy regulations, organizations deploy virtual desktop solutions to provide secure means to achieve productivity with the organization’s sensitive data. There are many virtual desktop solutions in the market today, but VMware’s Horizon product is the popular choice for organizations.
1 + 1 = ?
However, when a malicious person gains access to the ‘secure’ productivity platform of an organization through stuffed credentials. the organization has a big problem.
Multiple MFA methods
With Microsoft cloud services on the rise, another problem might also arise: disparate multi-factor authentication methods for users. It’s counter-intuitive for people to have to use one multi-factor authentication method for one system or platform the organization uses, and another method for another. The hassle of keeping more than one method up to date for people who change phone numbers and/or phones yearly grows exponentially with each multi-factor authentication method added.
In my opinion, administrators should get used to multiple multi-factor authentication methods and solutions to avoid getting locked out by single multi-factor authentication solution acting up.
Before following the below steps, make sure you meet the following prerequisites:
- Implement one or more additional Windows Server-based virtual machines to act as the Network Protection Services (NPS) Server(s) for Horizon. Make sure they run Windows Server 2016, or up. Implement the server on the same network as the Active Directory Domain Controllers.
- Provide network connectivity between the new NPS Server(s) and the Horizon implementation. Take care of any routes and firewall configurations. Horizon View’s Connection Server(s) need access to the NPS Server(s) using UDP1812 and UPD1813.
- Provide network connectivity between the new NPS Server(s) and Azure Active Directory. The NPS Server(s) need TCP80 and TCP443 access to these addresses:
- You need the credentials for an account in Active Directory to join the NPS Server(s) to Active Directory.
- You need the credentials to sign in to the NPS Server with an account that has local administrator privileges.
- You need the credentials to sign in to the Horizon implementation with an account that has administrator privileges and access to Horizon Console.
- You need the credentials for an account in Azure Active Directory that has the Global Administrator role.
- Make sure all user accounts in Active Directory who will use Azure MFA with Horizon are synchronized to Azure Active Directory.
- Make sure all persons who will use Horizon with Azure MFA have completed their one-time registration for Azure Multi-factor Authentication and are assigned the Azure AD Premium P1 stand-alone subscription license or a license bundle that includes Azure AD Premium P1.
- Download the latest version of the NPS Extension for Azure MFA and place it on the disk of the NPS Server(s), so it’s available for installation.
- Download the Visual C++ Redistributable Packages for Visual Studio 2013 (X64) and place it on the disk of the NPS Server(s), so it’s available for installation.
How to get the Azure AD Tenant ID
The installation of the Azure MFA Adapter needs the Azure AD tenant ID as input. To get this ID, follow these steps:
- Open a web browser.
- Navigate to the Azure AD Portal.
- Sign in with an Azure AD account that has privileges to access the Azure AD data.
As one of the prerequisites is the credentials of an Azure AD account with Global Administrator privileges, you can use that account, but you may opt to use a lesser privileged Azure AD account.
- Perform multi-factor authentication, when prompted.
- In the left navigation pane, click on Azure Active Directory.
- In Azure Active Directory’s navigation pane, click on Properties.
- Copy the value from the Tenant ID field.
- Close the web browser.
How to install the NPS Server
Follow these steps to install the NPS Server with the required components:
- Sign in to the NPS Server wit local administrator privileges.
- Start an elevated Windows PowerShell session and issue the following line of Windows PowerShell to join the Windows Server installation to Active Directory:
- After the Windows Server installation reboots, sign in with an Active Directory account that provides local administrator privileges to the NPS Server.
- Start an elevated Windows PowerShell session.
- Run the following line of Windows PowerShell to install the Network Protection and Authentication Server (NPAS) role:
- Run the following line of
Windows PowerShell to install the AzureAD PowerShell
Module. Follow the on-screen instructions.
- Install-module AzureAD
- Run the Visual C++ Redistributable Package for Visual Studio 2013 to install it. Follow the on-screen instructions.
- Run setup.exe from the NPS Extension for Azure MFA to install it. Follow the on-screen instructions.
- Run the following lines of Windows PowerShell to configure the Azure MFA NPS Extension:
- cd ”c:\ProgramFiles\Microsoft\AzureMfa\Config"
- When prompted, sign in with the Azure AD account with Global Administrator privileges.
- Paste the Azure AD tenant ID.
- Close the PowerShell window.
Repeat the above steps on the second NPS Server.
How to configure the NPS Server
Follow these steps to configure the NPS Server settings:
- Now, Open the Network Policy Server management console from either Server Manager’s Tools menu, or the Administrative Tools folder in the Start Menu.
- Right-click the NPS (Local) node in the top left corner of the navigation screen and click on the Register server in Active Directory menu item.
- Next, right-click on the Radius Clients node in the navigation screen. Click New.
The New RADIUS Client window appears.
- Make these changes:
- Select the Enable this RADIUS client option.
- Specify a meaningful value in the Friendly name: field.
- Define the IP address or fully qualified domain name for the Horizon View Connection Server you’d want to configure with Azure MFA in the Adress (IP or DNS): field.
- Specify a shared secret in the Shared secret: and the Confirm shared secret: fields, that will be used to obfuscate the traffic between the Horizon Connection Server and the NPS Server.
- Click OK.
- Create RADIUS clients for each Horizon Connection Server you’d want to configure.
- Next, right-click on the Network Policies node in the navigation screen.
- Duplicate the default Connections to other access servers network policy.
- Assign priority 1.
- Make two changes in the duplicated network policy:
- Check the Policy enabled option in the Policy State area.
- Check the Grant access. Grant access if the connection request matches this policy option in the Access Permission area.
- Save the network policy by clicking OK.
- Close the Network Policy Server management console.
- Sign out.
How to configure VMware Horizon
On the Horizon View Management Server(s), configure the following settings:
- Open Horizon Administrator.
- Navigate to View Configuration, then to Servers.
- On the Connection Servers tab, select a server instance to (re)configure.
- Click Edit.
- Click on the Authentication tab.
- In the Advanced Authentication section, select RADIUS from the drop-down list for the 2-factor authentication value.
- Enable the option Enforce 2-factor and Windows user name matching.
- Enable the option Use the same user name and password for RADIUS and Windows authentication.
- Click the Manage Authenticators… button
The Manage Authenticators screen appears.
- Click the Add or Edit button in the Manage Authenticators screen.
The Edit RADIUS Authenticator modal screen appears.
- On the Primary Authentication Server tab, specify the following settings:
- Specify the hostname or IP-address for the NPS Server
- For the Authentication type:, specify MSCHAP2.
- Paste the RADIUS shared secret as the Shared Secret: value.
- For the Server timeout: value, specify 10 seconds.
- For the Max attempts: value, specify 1.
- To specify a second NPS Server with the Azure MFA NPS Extension installed, repeat the steps on the Secondary Authentication Server tab.
- Click OK.
- Close Horizon Console.
The Azure MFA NPS Extension proves to be a splendid way to provide multi-factor authentication to VMware Horizon implementations. Now, credential stuffing attacks by malicious persons aren’t something to worry about anymore for the sensitive data handled in Horizon implementations.
Download the NPS Extension for Azure MFA
Configure Firewalls for RADIUS Traffic
Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication Enable Two-Factor Authentication in Horizon Administrator
The downside of using Azure mfa with nps is that you cannot use Conditional Access and the CA policies. You have any specific guidance on this?
Technically, there are six methods to publishing on-premises web-based applications with multi-factor authentication:
Some scenarios are better suited for certain functionality than others, some are more costly.
Some scenarios are more politically acceptable, some play nicer within the current infrastructure.
The choice was made. The consequence is Conditional Access and Identity Protection are not available to them.
Instead of leveraging Conditional Access to determine per-condition MFA, every sign-in requires MFA to Horizon.
You could use Azure MFA server (i know its sort of end of life) and use it for RADIUS , then you can use Conditional Access for AAD/O365. Users registered for MFA via MFA Server are not enabled/enforced.
I would not recommend MFA Server.
When you use Azure MFA Server, you end up with two registrations; one in MFA Server, one in Azure MFA.
With the Azure MFA NPS Extension, the registration is good for Conditional Access, Azure AD Identity Protection, Azure AD Self-service Password Reset and, in this case, enforced for Horizon.
Note: the enforcement for Horizon is through the NPS Extension, not the old PhoneFactor portal.
TLS1.0/1.1 support has been removed from the PoSH gallery so some following the guide will hit errors when running the config script without Powershell set to use TLS1.2. TLS1.2 can be set via [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Thanks for the guide, really helpful.
Indeed. I discussed how you can resolve the error ‘Unable to download’ when you try to install the AzureAD or MSOnline PowerShell Module here.
Does this mean one has to choose between MFA (https://account.activedirectory.windowsazure.com/) and conditional access for a usecase that involves a service like a VPN client for regular users?
The PhoneFactor legacy portal and Conditional Access policies govern multi-factor authentication requirements for Azure AD-integrated apps and services.
Unfortunately, most on-premises services and systems, like the VPN solution you mention, do not integrate with Azure AD.
They do use RADIUS. RADIUS through NPS can be enhanced with multi-factor authentication requirements through the NPS extension, mentioned in this blogpost.
Furthermore, you do not specifically have to choose between the PhoneFactor legacy portal and Conditional Access policies to govern multi-factor authentication requirements in other scenarios, too. The 'enforced' status in the PhoneFactor legacy portal for a user take precendence over Conditional Access policy settings; the person will need to always perform multi-factor authentication. However, as this is a pain to manage in two separate portal experiences, my recommendation is to migrate everything over to Conditional Access, if the tenant is equipped with Premium licenses.
Great Article and easy to follow. I know this question may sound silly but when prompted to authenticate on this horizon client, what should the user enter to test authentication? I'm assuming it would network password and then they get a 2nd authentication where they need to enter their MFA information but could be wrong.
The end user enters the domain credentials (user name and password) in the Horizon client sign-in interface.
After successful validation by the NPS server with Active Directory of these credentials, the NPS MFA Extension on the NPS server calls the multi-factor authentication method that is specified as the preferred method in Azure AD.
Thanks Sander, I keep getting error An Access-Request message was received from RADIUS client x.x.x.x with a Message-Authenticator attribute that is not valid. any ideas where the issue might be?
This might be due to several issues:
Thanks for your suggestions. I was able to get it to work. What I did for my environment is I did not enable Radius on the connection server but did enable Radius on the UAG and tested and it worked. We are only concern with MFA with external connections, not in the offices. Again, thanks for this article, helped me set this up on my own.
I am working on the same thing for some RADIUS services. I do have one question though. If Azure MFA goes down for some reason or becomes unavailable to your NPS server then is there a way to ensure redundancy for logins so people aren't locked out of these services?
When the NPS server can't reach the Azure MFA service, then authentications fail.
More likely, the reason for such an event would be a firewall issue or a networking issue, as the Azure MFA Service has had a global overhaul in the past year since the last MFA Service outages. When it is indeed a networking issue, remote users will likely not be able to reach the service your organization has protected with NPS, either. You could also experience a situation where a malicious person blocks access to the Azure MFA service and expect the organization to forego authentication protection measures, like MFA.
I feel there are three questions to take into consideration:
For continuity, you might want to opt to use smartcards and/or certificate authentication for certain on-premises scenarios, create emergency access accounts and/or provide certain admins with a different multi-factor authentication method. Of course, these alternative access methods require their own measures to live up to the expectations and instructions for information security.
Hi, are the MFA logs in Azure available to be read via Graph API?
MFA prompts for sign-ins through NPS are available in the Azure AD SigninLogs.
These SigninLogs can be retrieved using the Microsoft Graph.
Sander, great post and very helpful. We are running into an issue where the RADIUS request is quickly rejected and we find an error in the Event Log of "NPS Extensions for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State." Any thoughts on what might be causing this error?
Does this setup apply to both the VDI users as well as the admins of VDI (that use the Horizon Console)? If not, how does one ensure Admins of VDI are forced to use MFA?
Great article. Worked great to enable Azure based MFA on my Horizon connection broker. I already had NPS setup for a VPN connection and after following these steps, my VPN automatically used MFA as well. That is fine for this VPN, but is there a way that I can add standard RADIUS clients that don't use MFA after deploying the NPS extension? Another thing I noticed is that after approving the horizon login via Authenticator app, it hangs on authenticating within Horizon for 10-15 seconds before showing my available pools of desktops. Is this expected behavior?
NPS is now end of life, is there any other ways to integrate with azureAD MFA?