Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
nflnetwork29
Advisor

Connecting to Remote access vpn , not getting prompted fore 2Fa

hello i have configured remote access vpn to work with azure active directory. 

when i connect my endpoint client i can successfully login but im Not getting any 2Fa prompting. 

does anyone know where i can look to verify my settings for this?

would this be something on the azure portal side?.

any suggestions?

 

thanks, 

0 Kudos
10 Replies
nflnetwork29
Advisor

we also just noticed during some initial testing that any subsequent vpn login attempt do not even ask for credentials of any sort? i have no idea how the endpoint client is even connecting . something must be cached somewhere? it is now connecting without any credential input request. 

0 Kudos
(1)
the_rock
Legend
Legend

If its on CP side, then its on gateway properties, vpn -> authentication

Andy

0 Kudos
nflnetwork29
Advisor

i belive this to be azure issue there is a property that gets set on the client workstation . 

 

it can be verified by running dsregcmd /status op the workstation

 

under the single sign on section there is the following property

AzureAdPrt : YES

If this property is set to yes it will essentially bypass the conditional access policy / request for MFA. 

 

my workstaion


+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

AzureAdPrt : YES
AzureAdPrtUpdateTime : 2022-05-18 20:56:09.000 UTC
AzureAdPrtExpiryTime : 2022-06-02 00:59:03.000 UTC
AzureAdPrtAuthority : https://login.microsoftonline.com/4e3b121b-1d6b-491c-873e-95e5f3eec8e0
EnterprisePrt : NO
EnterprisePrtAuthority :
OnPremTgt : NO
CloudTgt : YES
KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342

 

 

0 Kudos
nflnetwork29
Advisor

some images of the login process . (attached) 

as you can see i never get prompted for MFA  or credentials. 

 

 

 

 

0 Kudos
the_rock
Legend
Legend

What identity provider are you using? I tested this before with a colleague and worked fine. I still have it in my lab I believe.

0 Kudos
nflnetwork29
Advisor

Azure

0 Kudos
the_rock
Legend
Legend

We were using another one (cant think of a name now), but never had this problem. Are there some settings in Azure portal that might be missing? I find it odd that you dont even get a prompt, I got a feeling there is something simple being omitted here.

0 Kudos
nflnetwork29
Advisor

will check with Microsoft support .will report back what i find out . 

 

the_rock
Legend
Legend

Please do, because more and more people use cloud stuff now days, so any solution shared is big help.

 

Cheers.

0 Kudos
nflnetwork29
Advisor

Here is the response from Microsoft. Does anyone know how I can add this parameter?


@the_rock wrote:

Please do, because more and more people use cloud stuff now days, so any solution shared is big help.

 

Cheers.


Thank you for posting your question on Microsoft Q&A.

This could happen when your device is registered/Azure AD joined/hybrid joined to your organization's Azure AD, in case of which a PRT (Primary Refresh Token) is issued to the device. The PRT is then used to provide a seamless single sign-on experience by automatically signing in with the account used to log in to the device. If there was MFA prompted initially in the process of device registration/Azure AD joined/hybrid joined, then even MFA claim is stored in PRT.

Now, whenever user tries to access any application from this device, and if there is any conditional access policy which is configured to prompt for MFA while accessing, then Azure AD will make use of this PRT and both first factor authentication and MFA will not be prompted as PRT contains the MFA claim in it.

You can refer below article to know how PRT is utilized during app token requests,
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#prt-us...

To require users in your organization's directory to prompt for MFA every time they access the application, you need to update your application code to include forceAuthn="true" parameter in the authentication request. This is an SAML parameter that forces interactive authentication regardless of whether a valid PRT and/or Cookies are present or not.

Read more: https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-saml-protocol

0 Kudos