This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nflnetwork29
Advisor
‎2022-05-18 11:52 AM

Connecting to Remote access vpn , not getting prompted fore 2Fa

hello i have configured remote access vpn to work with azure active directory. 

when i connect my endpoint client i can successfully login but im Not getting any 2Fa prompting. 

does anyone know where i can look to verify my settings for this?

would this be something on the azure portal side?.

any suggestions?

 

thanks, 

Labels
0 Kudos
10 Replies
nflnetwork29
Advisor
‎2022-05-18 02:30 PM

we also just noticed during some initial testing that any subsequent vpn login attempt do not even ask for credentials of any sort? i have no idea how the endpoint client is even connecting . something must be cached somewhere? it is now connecting without any credential input request. 

0 Kudos
(1)
the_rock
MVP Platinum
MVP Platinum
‎2022-05-18 06:24 PM
In response to nflnetwork29

If its on CP side, then its on gateway properties, vpn -> authentication

Andy

Best,
Andy
0 Kudos
nflnetwork29
Advisor
‎2022-05-18 07:42 PM
In response to the_rock

i belive this to be azure issue there is a property that gets set on the client workstation . 

 

it can be verified by running dsregcmd /status op the workstation

 

under the single sign on section there is the following property

AzureAdPrt : YES

If this property is set to yes it will essentially bypass the conditional access policy / request for MFA. 

 

my workstaion


+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : YES
AzureAdPrtUpdateTime : 2022-05-18 20:56:09.000 UTC
AzureAdPrtExpiryTime : 2022-06-02 00:59:03.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/4e3b121b-1d6b-491c-873e-95e5f3eec8e0
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : YES
KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342

 

 

0 Kudos
nflnetwork29
Advisor
‎2022-05-19 06:26 AM
In response to nflnetwork29

some images of the login process . (attached) 

as you can see i never get prompted for MFA  or credentials. 

 

 

 

 

Preview file
95 KB
Preview file
45 KB
Preview file
54 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-05-19 06:39 AM
In response to nflnetwork29

What identity provider are you using? I tested this before with a colleague and worked fine. I still have it in my lab I believe.

Best,
Andy
0 Kudos
nflnetwork29
Advisor
‎2022-05-19 06:41 AM
In response to the_rock

Azure

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-05-19 06:43 AM
In response to nflnetwork29

We were using another one (cant think of a name now), but never had this problem. Are there some settings in Azure portal that might be missing? I find it odd that you dont even get a prompt, I got a feeling there is something simple being omitted here.

Best,
Andy
0 Kudos
nflnetwork29
Advisor
‎2022-05-19 06:45 AM
In response to the_rock

will check with Microsoft support .will report back what i find out . 

 

the_rock
MVP Platinum
MVP Platinum
‎2022-05-19 06:46 AM
In response to nflnetwork29

Please do, because more and more people use cloud stuff now days, so any solution shared is big help.

 

Cheers.

Best,
Andy
0 Kudos
nflnetwork29
Advisor
‎2022-07-18 06:42 AM
In response to the_rock

Here is the response from Microsoft. Does anyone know how I can add this parameter?

@the_rock wrote:

Please do, because more and more people use cloud stuff now days, so any solution shared is big help.

 

Cheers.

Thank you for posting your question on Microsoft Q&A.

This could happen when your device is registered/Azure AD joined/hybrid joined to your organization's Azure AD, in case of which a PRT (Primary Refresh Token) is issued to the device. The PRT is then used to provide a seamless single sign-on experience by automatically signing in with the account used to log in to the device. If there was MFA prompted initially in the process of device registration/Azure AD joined/hybrid joined, then even MFA claim is stored in PRT.

Now, whenever user tries to access any application from this device, and if there is any conditional access policy which is configured to prompt for MFA while accessing, then Azure AD will make use of this PRT and both first factor authentication and MFA will not be prompted as PRT contains the MFA claim in it.

You can refer below article to know how PRT is utilized during app token requests,
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#prt-us...

To require users in your organization's directory to prompt for MFA every time they access the application, you need to update your application code to include forceAuthn="true" parameter in the authentication request. This is an SAML parameter that forces interactive authentication regardless of whether a valid PRT and/or Cookies are present or not.

Read more: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events