Enabling MFA on Microsoft SSTP VPN
- Category: Blog
- Published: Saturday, 03 October 2020 15:37
- Written by Lars Berntzon
- Hits: 785
By turning on MFA for the microsoft SSTP VPN solution you will greatly improve the security since it basically stops anyone on internet from trying to login, they will also need the second factor to get it. With O365 you can turn on MFA authentication for most services including VPN (for a fee of course).
Problems that can occur:
If the script .\AzureMfaNpsExtnConfigSetup.ps1, fails complaining it can not connect to MSOOnline, try to test that separate step by running from powershell:
If that fails complaining about not being able to connect to the powershell gallery, try the below:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Another problem often occuring on windows servers is that IE, that is as the default html browser, is locked down so hard it can't open any pages at all. I suggest turning this off temporary during installtion for administrators. This is done via server manager -> "Configuer this local server" and there turn off "IE Enhanced Security Configuration".
Something that microsoft kind of not mention so much is that you MUST use the authenticator app, not not use one-time passwords, but allowing access by accepting via the app. I struggled for month to get this working when I realized that this was the problem.
Also, the NPS must not also be running on another server than the machine running the RRAS. This is because the plugin for NPS otherwise causes an infinite loop of authentications.