- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Connecting to Remote access vpn , not getting prom...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Connecting to Remote access vpn , not getting prompted fore 2Fa
hello i have configured remote access vpn to work with azure active directory.
when i connect my endpoint client i can successfully login but im Not getting any 2Fa prompting.
does anyone know where i can look to verify my settings for this?
would this be something on the azure portal side?.
any suggestions?
thanks,
- Labels:
-
Mobile Access Blade
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
we also just noticed during some initial testing that any subsequent vpn login attempt do not even ask for credentials of any sort? i have no idea how the endpoint client is even connecting . something must be cached somewhere? it is now connecting without any credential input request.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If its on CP side, then its on gateway properties, vpn -> authentication
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i belive this to be azure issue there is a property that gets set on the client workstation .
it can be verified by running dsregcmd /status op the workstation
under the single sign on section there is the following property
AzureAdPrt : YES
If this property is set to yes it will essentially bypass the conditional access policy / request for MFA.
my workstaion
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2022-05-18 20:56:09.000 UTC
AzureAdPrtExpiryTime : 2022-06-02 00:59:03.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/4e3b121b-1d6b-491c-873e-95e5f3eec8e0
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : YES
KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
some images of the login process . (attached)
as you can see i never get prompted for MFA or credentials.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What identity provider are you using? I tested this before with a colleague and worked fine. I still have it in my lab I believe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Azure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We were using another one (cant think of a name now), but never had this problem. Are there some settings in Azure portal that might be missing? I find it odd that you dont even get a prompt, I got a feeling there is something simple being omitted here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
will check with Microsoft support .will report back what i find out .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please do, because more and more people use cloud stuff now days, so any solution shared is big help.
Cheers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the response from Microsoft. Does anyone know how I can add this parameter?
@the_rock wrote:
Please do, because more and more people use cloud stuff now days, so any solution shared is big help.
Cheers.
Thank you for posting your question on Microsoft Q&A.
This could happen when your device is registered/Azure AD joined/hybrid joined to your organization's Azure AD, in case of which a PRT (Primary Refresh Token) is issued to the device. The PRT is then used to provide a seamless single sign-on experience by automatically signing in with the account used to log in to the device. If there was MFA prompted initially in the process of device registration/Azure AD joined/hybrid joined, then even MFA claim is stored in PRT.
Now, whenever user tries to access any application from this device, and if there is any conditional access policy which is configured to prompt for MFA while accessing, then Azure AD will make use of this PRT and both first factor authentication and MFA will not be prompted as PRT contains the MFA claim in it.
You can refer below article to know how PRT is utilized during app token requests,
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#prt-us...
To require users in your organization's directory to prompt for MFA every time they access the application, you need to update your application code to include forceAuthn="true" parameter in the authentication request. This is an SAML parameter that forces interactive authentication regardless of whether a valid PRT and/or Cookies are present or not.
Read more: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol