Jump to content
Welcome to our new Citrix community!
  • Citrix NetScaler Gateway: NPS Extension for Azure MFA Fails After Introducing the Microsoft Domain Controller Security Baseline


    MarcoHofmann23Rnd.png.abd60f3fb39c197d05f96a7f9d2ce137.png by Marco Hofmann, CTA

    Microsoft offers a nice set of security baseline GPOs, for direct use in your Active Directory environment. If you make use of the “MSFT Windows Server 2022 – Domain Controller” policy, your NPS installation might start to fail.


    Many of you probably have a Citrix NetScaler Gateway installation based on the following concept:

    Manuel Winkel (deyda): Microsoft Azure MFA Cloud Service in Citrix ADC

    Thomas Preischl: Citrix ADC / Netscaler Azure MFA Authentication

    Those articles describe, how someone can implement Azure MFA with Microsoft Authenticator App pushOTP and an on-premises Microsoft NPS server, without making use of SAML, which is necessary, if you use the ICAProxy Gateway only license for Citrix NetScaler Gateway.

    The Error

    While implementing the Microsoft security baselines at a customers’ site, we also introduced the Domain Controllers security baseline called:


    MSFT Windows Server 2022 – Domain Controller

    marco121922-02.webp.ba762df4c43435d207e37f64b2fa9ea0.webpMSFT Windows Server 2022 - Domain Controller

    A few minutes later, the external Citrix NetScaler Gateway authentication stopped working. Users would only receive the error:


    Unknown username or password

    marco121922-03.webp.5aba9d180732da8a1575fba2bb3aa599.webpCitrix NetScaler Gateway - Login Failed

    Troubleshooting on the Citrix NetScaler Gateway through the aaad.debug showed the following error:


    marco121922-04.webp.240f5ffb0eb7cf23b7947b238feb6e6f.webpMS-CHAP Error


    While the event viewer on the NPS server told us:

    NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User Marco.Hofmann with response state AccessReject, ignoring request.

    marco121922-05.webp.2edcc9750fe4857c5e948878d222d017.webpNPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User Marco.Hofmann with response state AccessReject, ignoring request.

    The Solution

    The errors weren’t helpful at all. We spent quite too much time searching for an indicator of what might be the issue. We knew it must have to do with the Domain Controller security baseline. Finally, we stumbled upon the following post from serverfault.com:


    One of my colleagues was at a Microsoft conference having various discussions when it dawned on him that MSCHAPv2 relies on NTLM to generate the password challenges and responses. Now plain old MSCHAP and MSCHAPv2 (i.e. not EAP-MSCHAPv2 or PEAP) when used in Windows RAS services will use NTLMv1 by default.

    As many of of you have already started to catch on, we, like many administrators, have disabled NTLMv1 on our DCs and as such the DCs will only accept NTLMv2 requests. This explains why the failure I continued to get was a “bad password” error. The password being sent to the DCs was in NTLMv1 format and was getting ignored.

    This post then leads to a Microsoft article, with the solution:


    For example, when you set this value to 5 (Send NTLMv2 response only. Refuse LM & NTLM), the DC won’t accept any requests that use NTLM authentication. When MS-CHAP or MS-CHAPv2 are configured, RAS in Windows Server 2008 R2 will default to NTLM to hash the password. Because the DC only accepts NTLMv2, the request will be denied.

    Microsoft NPS on Windows Server 2019 and 2022 will use NTLMv1 by default, if you make use of MS-CHAPv2. And the MSFT Windows Server 2022 – Domain Controller security baseline will turn off NTLMv1 for your Domain Controllers, which will break your NPS server.

    To enable NTLMv2 for MS-CHAPv2, you must set the following registry key on your NPS server, and restart the NPS service, and it will start working again:

    Windows Registry Editor Version 5.00


    "Enable NTLMv2 Compatibility"=dword:00000001

    Marco121922-06.webp.62c666746bf2d23ef5082da5a9467a1f.webpEnable NTLMv2 Compatibility

    I hope this will help someone else!


    See more posts by Marco Hofmann here.


    Not a member of CUGC? Join for free today!



    User Feedback

    Recommended Comments

    Thank you so much. For a later very explainable reason this happened to us when rebooting the NPS servers. First time it happend we rebooted and everything worked again. Well, that's fine. But then again.


    We didn't have all the symptoms as you described and the main thing was to be able to reproduce this problem.

    What we did was point the Netscaler NPS loadbalancer to 1 NPS server and use this command line to change the domain controller. FYI: Systeminfo and checking the logonserver is not up to date. That is set at logon and doesnt change anymore.


    Checking current DC: nltest /dsgetdc:domainname


    Change DC on NPS-01: nltest /Server:NPS-01 /SC_RESET:domainname\DC01


    So we found out: DC1 doesnt work, DC2 doesnt work, DC3 works. and the MS-CHAPv2 was the main difference because of hardening. Enabled the registry key and now DC1 and 2 are also working.

    Link to comment
    Share on other sites

    In my case the problem was related to users password. It consisted a question mark... and this somehow broke it....
    Link to comment
    Share on other sites

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...