Azure MFA NPS Extensions with NetScaler nFactor Authentication

Azure MFA (Multi Factor Authentication) is fast becoming a topic being discussed with pretty much all my customers, even those that have an existing MFA solution in place, but are realising they may already be entitled to the offering from Microsoft as part of their +Security bundles within the Office 365 space.

The addition of the Azure NPS extensions into the product set simplifies the implementation and discussions yet again, as we can now leverage existing servers to provide the RADIUS endpoints for services such as NetScaler to authenticate against.

In this post, I am going to configure NetScaler nFactor Authentication to simplify the on-boarding of Azure MFA Authentication via the NPS Extensions with load balanced RADIUS Servers.

My setup for this guide consists of the following components:

  • 2 x NPS Servers with the Azure MFA Extensions
  • 2 x NetScaler VPX Appliances with Enterprise Licencing
  • 1 x AAA vServer
  • 1 x RADIUS LB vServer
  • 1 x Access Gateway vServer (Unified Gateway)

Setting up Azure MFA, NPS roles and extensions

Firstly, Christiaan Brinkhoff has a fantastic article here which I base my initial configurations on. I am not going to reinvent the wheel; his work is always exceptional so that’s the starting point for NPS.

I suggest starting with his article as the only point of change here, is once we get to the NetScaler configurations with a few exceptions noted below:

  • My configuration includes multiple NPS Servers for redundancy
  • Because I am load balancing the NPS servers via NetScaler, the NPS Servers need to include the relevant NetScaler SNIP as a RADIUS Client. I include the NSIP of each NetScaler, and the SNIP

This configuration is based on a NetScaler Enterprise Licence, if you do not have Enterprise you will need to configure traditional Authentication Policies.

Setting up Load Balancing for the NPS Servers

Once you have configured both NPS Servers, it’s time to setup RADIUS load balancing on the NetScaler front.

Once again, there is already a documented step by step guide by Carl Stalhood (Surprise!) here for RADIUS load balancing. Follow this to get you started and pay attention to the load balancing Method mentioned

Note that if you are using an earlier version of NetScaler than 12, Carl has guides available as well

Configuring NetScaler nFactor Authentication

Why nFactor for this type of deployment? Primarily believe it or not, it’s due to its simplicity when integrating with multiple client types, the lack of requirement for rewrites on the authentication pages, and the support of whatever theme you want

As per Citrix Documentation on nFactor:

“nFactor authentication enables a whole new set of possibilities with respect to authentication. Administrators using nFactor enjoy authentication, authorization, and auditing (AAA) flexibility when configuring authentication factors for virtual servers”

“Traditionally, Citrix clients (including Browsers and Receivers) use the active directory (AD) password as the first password field. The second password is usually reserved for the One-Time-Password (OTP). However, in order to secure AD servers, OTP is required to be validated first. nFactor can do this without requiring client modifications.”

Create Authentication Virtual Server

Go to Security -> AAA – Application Traffic -> Virtual Servers.

Create a non-addressable Authentication vServer.

Auth vServer 1
Non-addressable Authentication Virtual Server

Bind your Certificate as normal. Skip through the other settings for now

Auth vServer 2
Authentication vServer created and in an Up state

Add an LDAP and RADIUS Authentication Server Profile

Go to Security -> AAA – Application Traffic -> Policies -> Authentication -> Basic Policies -> LDAP

Select Servers and create an LDAP Server if you don’t have one

LDAP Profile 1
LDAP(S) Authentication Server

Go to Security -> AAA – Application Traffic -> Policies -> Authentication -> Basic Policies -> RADIUS.

Select Servers and create a RADIUS Server if you don’t have one (I use the NetScaler VIP created as my RADIUS LB)

Ensure that your RADIUS profile has the appropriate timeouts, NAS ID and password encoding set

RADIUS Server 1
RADIUS Server – Note Time-Out, NAS ID and Password Encoding Type

Once completed, confirm your Server object exists

RADIUS Profile 1
RADIUS Authentication Server

Add LDAP and RADIUS Authentication Policies

Go to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Authentication Policies.

Add two policies: one for LDAP and one for RADIUS. set the Request Server to the Authentication Servers you created previously, and set the expression to true

Auth Policies 1
Advanced Authentication Policies – LDAP and RADIUS

Create an Authentication Login Schema Profile and Policy

Go to Security -> AAA – Application Traffic -> Login Schema.

Select the Profiles tab and Click the Add button

Login Schema 1
New Authentication Login Schema

Select the pencil next to the noschema default entry under Authentication Schema:

Choose the SingleAuth.xml entry as your starting template.

Select Edit on the right hand side

Login Schema 2
SingleAuth.xml Schema Template

Give the Schema Profile a name and edit any fields you want to alter

Login Schema 3.png
Custom Schema Profile Fields

Select Save

Ensure that you select your new template and then select create. Do this by pressing select on the right hand side

Login Schema 4
Ensure you select the new Schema

Confirm the login Schema Profile is created

Login Schema 5
Login Schema Profile created

Select the Policies tab and Click the Add button

Give the Policy a name and select the Profile you just created.

Give the rule a value of true.

Login Schema Policy 1
New Login Schema Policy

Select Create

Confirm the new policy is created

Login Schema Policy 2
Login Schema Policy created

Create a Policy Label

“A policy label specifies the authentication policies for a particular factor. Each policy label corresponds to a single factor. The policy label must be bound as the next factor of an authentication policy or of another authentication policy label. Typically, a policy label includes authentication policies for a specific authentication mechanism”

Go to Security -> AAA – Application Traffic -> Policies -> Authentication -> Advanced Policies -> Policy Label.

Select Add. Give the PolicyLabel a name

Authentication Policy Label 1
New Authentication PolicyLabel for RADIUS Authentication

Select Continue.

Select the RADIUS Authentication Policy you created above. Note this is a very simple use of nFactor, we are only using a single Policylabel with RADIUS as our second factor

Authentication Policy Label 2.png
Bind the RADIUS Authentication Policy to the PolicyLabel

Select Bind

Authentication Policy Label 3.png
Confirm PolicyLabel is created with RADIUS Authentication Policy

Assign Authentication Policy to the Authentication vServer

Go to Security -> AAA – Application Traffic -> Virtual Servers.

Edit the Authentication vServer you created earlier and select “Advanced Authentication Policies”

Auth vServer 3
Advanced Authentication Policies for the Authentication vServer

Select the LDAP Policy that you created previously and then select your RADIUS Policy Label as the next Factor

Auth vServer 4
LDAPS is our first Factor, RADIUS PolicyLabel as our Second

Select Bind

Assign a Login Schema to the Authentication vServer

Go to Security -> AAA – Application Traffic -> Virtual Servers.

Edit the Authentication vServer you created earlier and select “Login Schema

Bind the Login Schema Policy you created previously

Auth vServer 5
Bind the Login Schema created previously

Configuring the NetScaler Gateway vServer

At this point, you would remove existing Authentication Policies assigned to your Gateway vServer, and bind your new Authentication Profile.

Go to NetScaler Gateway -> Virtual Servers -> Edit your Gateway -> Select Authentication Profile.

Gateway Auth Prof 1
Current Authentication Profile

Select the + to Add

Give the Authentication Profile a name, and select the Authentication vServer you created earlier

Gateway Auth Prof 2
Create Authentication Profile

Select OK and confirm your Authentication Profile is applied

Gateway Auth Prof 3
Authentication Profile Assigned to Gateway

Note that this creates the profile below, but doesn’t need all the other mandatory fields that creating it manually requires

Security -> AAA – Application Traffic -> Authentication Profile

Auth Profile 1
Authentication Profile Created via Gateway

End Result

Once everything has been applied, you should experience a simple logon scheme on your Gateway vServer as below:

End Result 1
RFWebUI Web Page – First Factor

Once you have entered your first Factor (LDAPS Username and Password), the nFactor configuration will move to RADIUS, the behaviour of the next stage will differ depending on your Authentication Mechanism within MFA.

If you use the Authenticator App, you will be prompted for confirmation on your mobile device. The NetScaler will wait 30 seconds for this confirmation to take place before timing out.

If you use Text Message/SMS based authentication, the NetScaler will prompt you for your confirmation PIN as follows:

End Result 2
RFWebUI Page Page – Second Factor – SMS/Text

This behaviour will follow across Web, Receiver, Mobile Receiver and the SSL VPN Client


As with everything NetScaler, there are many ways to achieve the same result. This is only a basic use of the nFactor capability on NetScaler and there probably more advanced or different ways of configuring the above, however it seems to fit well together with NPS and Azure MFA across multiple device types.

9 thoughts on “Azure MFA NPS Extensions with NetScaler nFactor Authentication

Add yours

  1. Hi James, thanks for this clear and comprehensive article!!

    I have a few questions that I still have:
    I had first arranged the MFA via an on premise server with the mfa user portal (via LDAPS) etc.
    (this server was also visible as an MFA in the Azure Portal).

    Should I also see the NPS server as an MFA / RADIUS server in the Azure portal? That is not the case with me.

    Can the on premise MFA LDAPS server and the NPS server be used side by side (one for old gateway, one for new gateway, or should I choose one solution (MFA with user protal ed or NPS server).

    Does the NPS server need a constant connection to the Internet for the operation of MFA? If so, to which sites/ports?

    Does the NPS server have to be registered in the AD (Register Server in AD)?

    When i’m logging in to my Gateway as user, i’m not able to connect. The secondary factor does not appear on the Authenticator app. At the NPS server i see an error in the logs: “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User with response state AccessReject, ignoring request.”

    Hopefully you have the answers here. Thank you very much!



    1. Sorry for the delay Marcel
      – You will not see the NPS server in the Azure Portal
      – You can run both providers side by side as far as I know
      – NPS Server does need a constant connection as it checks with Azure AD
      – Firewall list is located here
      – NPS server doesnt need to be registered
      – Check your azure ad account and the relevant authentication methods you have configured on the account (Christiaans setup guide is the best resource for setting things up)

      Hope that helps


  2. Hi James, thanks for your reply!

    I’ve tried a few things, but do not get it working.
    I have put a simple basic RADIUS policy on the gateway vserver, but also then nothing happens.
    In aaad.debug I see the LDAP part OK, but for RADIUS it stays with the message “RADIUS auth: Making radius request for user ” and after a while followed by “retransmit radius packet”, “RADIUS auth: RADIUS server unresponsive, timed out:No valid RADIUS responses received” and finaly ”
    There is therefore no Acces-Request to the NPS server at all.Rejecting with error code 4003″

    What could be the cause of this?

    (My NetScaler is v12.0.57.19)

    I tried several things, like:

    – Enable NTLMv2 Compatabiliy key with value 1 on the NPS server (Without this key on the NPS server I get the error “Invalid credentials, error code 4001);
    – add radiusNode -radkey ;
    – Direct connection to the NPS server instead of via an LoadBalanced RADIUS server;
    – Diabled (one by one) the Connection Request Policies / Network policies on the NPS server.

    Everything without a positive result…..

    On the NPS server i still see the error:

    – “NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User with response state AccessReject, ignoring request”


    – NPS Extension for Azure MFA: CID: c63a40f4-70fe-4227-b09e-ab838fbfcc10 :Exception in Authentication Ext for User :: ErrorCode:: AZURE_MFA_RESPONSE_ERROR Msg:: cid: c63a40f4-70fe-4227-b09e-ab838fbfcc10 Received the following response which could not be parsed successfully:: Enter ERROR_CODE @ detailed TroubleShooting steps.

    Hopefully you still have ideas.

    Best regards,



  3. Hi James, thanks for the article.

    I wonder if there is a way to let the user pick the second factor. eg: phone/push/code with Azure MFA. Any thoughts?


  4. Azure now have a RADIUS Windows 2016 image available in the marketplace that you can use to authenticate Wireless traffic from your CISCO APs

    There is a pretty good tutorial on setting up RADIUS authentication using Azures new RADIUS server on


  5. James – I’ve followed the steps in your article, and it works great, so thank you!
    BUT, I have just one issue: users are prompted for their AD credentials twice (then everything works fine). I’ve posted about it here:

    To recap: user enters her AD credentials, then a second time, then she is prompted for AzureMFA code (if member of group MFA). Either way, login is successful.

    Any suggestions?


  6. Great post!

    I was able to configure, but I have a doubt, for users who have MFA disabled, how can I configure it so that MFA is not requested for him and he can authenticate?


Leave a Reply to fitzwar Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at

Up ↑

%d bloggers like this: