Jump to content
Welcome to our new Citrix community!

Expired Password Changes with Azure MFA, RADIUS, and NPS Extension

Recommended Posts

We have a hybrid Office 365 environment with our users one-way synced to Azure AD. Today we a NetScaler ADC along with a Microsoft Azure MFA Stand-alone server deployed on-prem to handle remote ICA connections. Our remote users are a mix of browser based, native Receiver, and Wyse ThinOS. We want to migrate our users away from the Stand-alone MFA server to cloud-based Azure MFA. We are having a problem implementing this because we are unable to get expired password resets working with RADIUS and NPS.


Today the NetScaler Gateway is configured for LDAPS authentication to the stand-alone MFA server. If a user's password is expired, the browser and thin client both get prompts to set a new password. The password gets set and everyone moves on with their day. I found found conflicting information about RADIUS and NPS and if this is even possible. This Citrix article leads me to believe it is.


I've created a Microsoft NPS server, installed the Azure MFA NPS Extension, ran the scripts, configured the NPS and NetScaler policies and my test users can successfully authenticate. I set a user's password as expired and authentication fails. The Security event log on the NPS server states it failed because the password was set to expire. If I clear the box in AD, the user can authenticate again.


If you have the Azure MFA with RADIUS and NPS Extension configured for your NetScaler Gateway, how is it working? Can your web and WTOS users change their expired passwords?

Link to comment
Share on other sites

  • 2 weeks later...

One way is to enable encryption on the radius traffic (NPS server setting + specify encryption in Radius Action on Netscaler), which should solve the issue for you.


The other way is to configure LDAP + Radius authentication (both) on Netscaler, where LDAP auth is performed first. This will allow password changes to be made (and this is regular LDAP, no Radius). The Radius auth is then purely for MFA authentication (and not password changes). There will be no change in behaviour for end-users (still only 1 prompt).

Link to comment
Share on other sites

  • 3 months later...

Did you find a solution to this? We're having the same issue, however I think it's the MFA Extension for NPS that is the problem. With MFA configured, it seems to ignore the policy settings to allow for expired password changes.


EDIT: I found the answer...unfortunately it's not supported with the MFA Extension.




Why cannot I sign in?

Check that your password hasn't expired. The NPS Extension does not support changing passwords as part of the sign-in workflow. Contact your organization's IT Staff for further assistance.

Edited by cgladma256
Found the answer
Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...