将现有网络策略服务器 (NPS) 基础结构与 Azure AD 多重身份验证集成Integrate your existing Network Policy Server (NPS) infrastructure with Azure AD Multi-Factor Authentication

适用于 Azure AD 多重身份验证的网络策略服务器 (NPS) 扩展可以使用现有的服务器将基于云的 MFA 功能添加到身份验证基础结构。The Network Policy Server (NPS) extension for Azure AD Multi-Factor Authentication adds cloud-based MFA capabilities to your authentication infrastructure using your existing servers. 使用 NPS 扩展,可将电话呼叫、短信或电话应用验证添加到现有的身份验证流,而无需安装、配置和维护新服务器。With the NPS extension, you can add phone call, text message, or phone app verification to your existing authentication flow without having to install, configure, and maintain new servers.

NPS 扩展充当 RADIUS 与基于云的 Azure AD 多重身份验证之间的适配器,为联合用户或已同步用户提供身份验证的第二个因素。The NPS extension acts as an adapter between RADIUS and cloud-based Azure AD Multi-Factor Authentication to provide a second factor of authentication for federated or synced users.

NPS 扩展的工作原理How the NPS extension works

使用 NPS 扩展进行 Azure AD 多重身份验证时,身份验证流包括以下组件:When you use the NPS extension for Azure AD Multi-Factor Authentication, the authentication flow includes the following components:

  1. NAS/VPN 服务器 接收来自 VPN 客户端的请求,并将其转换为可发往 NPS 服务器的 RADIUS 请求。NAS/VPN Server receives requests from VPN clients and converts them into RADIUS requests to NPS servers.
  2. NPS 服务器连接到 Active Directory 域服务 (AD DS),以针对 RADIUS 请求执行主要身份验证,并在成功后将请求传递到所有已安装的扩展。NPS Server connects to Active Directory Domain Services (AD DS) to perform the primary authentication for the RADIUS requests and, upon success, passes the request to any installed extensions.
  3. NPS 扩展触发一个 Azure AD 多重身份验证请求来执行辅助身份验证。NPS Extension triggers a request to Azure AD Multi-Factor Authentication for the secondary authentication. 该扩展收到响应后,如果 MFA 质询成功,该扩展将通过向 NPS 服务器提供由 Azure STS 颁发的、包含 MFA 声明的安全令牌,来完成身份验证请求。Once the extension receives the response, and if the MFA challenge succeeds, it completes the authentication request by providing the NPS server with security tokens that include an MFA claim, issued by Azure STS.
  4. Azure AD MFA 与 Azure Active Directory (Azure AD) 通信,检索用户的详细信息并使用配置给用户的验证方法执行辅助身份验证。Azure AD MFA communicates with Azure Active Directory (Azure AD) to retrieve the user's details and performs the secondary authentication using a verification method configured to the user.

下图显示了此高级身份验证请求流:The following diagram illustrates this high-level authentication request flow:

用户通过 VPN 服务器向 NPS 服务器和 Azure AD 多重身份验证 NPS 扩展进行身份验证的身份验证流示意图

RADIUS 协议行为和 NPS 扩展RADIUS protocol behavior and the NPS extension

因为 RADIUS 是一种 UDP 协议,因此发送方会认为数据包丢失并等待响应。As RADIUS is a UDP protocol, the sender assumes packet loss and awaits a response. 一段时间后,连接可能会超时。如果是这样,则会重新发送数据包,因为发送方假设数据包未到达目标。After a period of time, the connection may time out. If so, the packet is resent as the sender assumes the packet didn't reach the destination. 在本文的身份验证场景中,VPN 服务器发送请求并等待响应。In the authentication scenario in this article, VPN servers send the request and wait for a response. 如果连接超时,VPN 服务器会再次发送请求。If the connection times out, the VPN server sends the request again.

NPS 服务器的响应超时后的 RADIUS UDP 数据包流和请求的示意图

NPS 服务器在连接超时之前可能不会响应 VPN 服务器的原始请求,因为 MFA 请求可能仍在进行处理。The NPS server may not respond to the VPN server's original request before the connection times out as the MFA request may still be being processed. 用户可能未成功响应 MFA 提示,因此 Azure AD 多重身份验证 NPS 扩展正在等待该事件完成。The user may not have successfully responded to the MFA prompt, so the Azure AD Multi-Factor Authentication NPS extension is waiting for that event to complete. 在这种情况下,NPS 服务器会将附加的 VPN 服务器请求标识为重复请求。In this situation, the NPS server identifies additional VPN server requests as a duplicate request. NPS 服务器会丢弃这些重复的 VPN 服务器请求。The NPS server discards these duplicate VPN server requests.

NPS 服务器丢弃来自 RADIUS 服务器的重复请求的示意图

如果查看 NPS 服务器日志,可能会看到这些附加请求被丢弃。If you look at the NPS server logs, you may see these additional requests being discarded. 此行为是设计使然,防止最终用户收到单个身份验证尝试的多个请求。This behavior is by design to protect the end user from getting multiple requests for a single authentication attempt. NPS 服务器事件日志中存在丢弃的请求并不表示 NPS 服务器或 Azure AD 多重身份验证 NPS 扩展存在问题。Discarded requests in the NPS server event log don't indicate there's a problem with the NPS server or the Azure AD Multi-Factor Authentication NPS extension.

为了最大限度地减少丢弃的请求,建议将 VPN 服务器的超时配置为至少 60 秒。To minimize discarded requests, we recommend that VPN servers are configured with a timeout of at least 60 seconds. 可以根据需要将 VPN 服务器超时值增加到 90 或 120 秒,也可以为了减少事件日志中的丢弃的请求而这样做。If needed, or to reduce discarded requests in the event logs, you can increase the VPN server timeout value to 90 or 120 seconds.

由于此 UDP 协议行为,NPS 服务器可能会收到重复请求并会再次发送 MFA 提示,即使用户已对初始请求做出响应。Due to this UDP protocol behavior, the NPS server could receive a duplicate request and send another MFA prompt, even after the user has already responded to the initial request. 为了避免这种计时情况,在将成功的响应发送到 VPN 服务器后,Azure AD 多重身份验证 NPS 扩展会继续筛选并丢弃重复的请求,这样持续长达 10 秒钟的时间。To avoid this timing condition, the Azure AD Multi-Factor Authentication NPS extension continues to filter and discard duplicate requests for up to 10 seconds after a successful response has been sent to the VPN server.

返回成功的响应后,NPS 服务器在十秒内继续丢弃来自 VPN 服务器的重复请求的示意图

同样,即使 Azure AD 多重身份验证提示是成功的,也可能会在 NPS 服务器事件日志中看到丢弃的请求。Again, you may see discarded requests in the NPS server event logs, even when the Azure AD Multi-Factor Authentication prompt was successful. 这是预期的行为,并不表示 NPS 服务器或 Azure AD 多重身份验证 NPS 扩展存在问题。This is expected behavior, and doesn't indicate a problem with the NPS server or Azure AD Multi-Factor Authentication NPS extension.

规划部署Plan your deployment

NPS 扩展自动处理冗余,因此无需特殊配置。The NPS extension automatically handles redundancy, so you don't need a special configuration.

可以根据需要创建任意数量的已启用 Azure AD 多重身份验证的 NPS 服务器。You can create as many Azure AD Multi-Factor Authentication-enabled NPS servers as you need. 如果确实安装了多个服务器,应该为其中每个服务器使用不同的客户端证书。If you do install multiple servers, you should use a difference client certificate for each one of them. 为每个服务器创建证书意味着,可单独更新每个证书,不必担心所有服务器出现停机。Creating a certificate for each server means that you can update each cert individually, and not worry about downtime across all your servers.

VPN 服务器会路由身份验证请求,因此它们需要感知新的已启用 Azure AD 多重身份验证的 NPS 服务器。VPN servers route authentication requests, so they need to be aware of the new Azure AD Multi-Factor Authentication-enabled NPS servers.

先决条件Prerequisites

NPS 扩展需与现有基础结构配合工作。The NPS extension is meant to work with your existing infrastructure. 在开始之前,请确保满足以下先决条件。Make sure you have the following prerequisites before you begin.

许可证Licenses

适用于 Azure AD 多重身份验证的 NPS 扩展可供持有 Azure 多重身份验证许可证的客户使用。The NPS Extension for Azure AD Multi-Factor Authentication is available to customers with licenses for Azure AD Multi-Factor Authentication. Azure AD 多重身份验证的基于使用量的许可证(例如,按用户或按身份验证许可证)与 NPS 扩展不兼容。Consumption-based licenses for Azure AD Multi-Factor Authentication, such as per user or per authentication licenses, aren't compatible with the NPS extension.

软件Software

Windows Server 2012 或更高版本。Windows Server 2012 or above.

Libraries

你需要手动安装以下库:You need to manually install the following library:

以下库会自动随该扩展一同安装。The following libraries are installed automatically with the extension.

还要通过你在安装过程中运行的一个配置脚本来安装用于 Windows PowerShell 的 Azure Active Directory 模块(如果尚不存在)。The Azure Active Directory Module for Windows PowerShell is also installed through a configuration script you run as part of the setup process, if not already present. 如果尚未安装此模块,无需提前安装。There's no need to install this module ahead of time if it's not already installed.

Azure Active DirectoryAzure Active Directory

使用 NPS 扩展的任何用户必须使用 Azure AD Connect 同步到 Azure AD,并且必须针对 MFA 进行注册。Everyone using the NPS extension must be synced to Azure AD using Azure AD Connect, and must be registered for MFA.

安装该扩展时,需要使用 Azure AD 租户的租户 ID 和管理员凭据。When you install the extension, you need the Tenant ID and admin credentials for your Azure AD tenant. 若要获取租户 ID,请完成以下步骤:To get the tenant ID, complete the following steps:

  1. 以 Azure 租户的全局管理员身份登录 Azure 门户Sign in to the Azure portal as the global administrator of the Azure tenant.

  2. 搜索并选择“Azure Active Directory”。Search for and select the Azure Active Directory.

  3. 在“概述”页上,将显示“租户信息”。On the Overview page, the Tenant information is shown. 在“租户 ID”旁边,选择“复制”图标,如以下示例屏幕截图所示:Next to the Tenant ID, select the Copy icon, as shown in the following example screenshot:

    从 Azure 门户获取租户 ID

网络要求Network requirements

NPS 服务器必须能够通过端口 80 和 443 与以下 URL 通信:The NPS server must be able to communicate with the following URLs over ports 80 and 443:

  • https://adnotifications.azure.cnhttps://adnotifications.azure.cn
  • https://login.partner.microsoftonline.cnhttps://login.partner.microsoftonline.cn
  • https://credentials.azure.comhttps://credentials.azure.com

此外,还需要连接到以下 URL 才能使用提供的 PowerShell 脚本完成适配器的设置Additionally, connectivity to the following URLs is required to complete the setup of the adapter using the provided PowerShell script:

  • https://login.partner.microsoftonline.cnhttps://login.partner.microsoftonline.cn
  • https://provisioningapi.partner.microsoftonline.cnhttps://provisioningapi.partner.microsoftonline.cn
  • https://aadcdn.msauth.nethttps://aadcdn.msauth.net

准备环境Prepare your environment

在安装 NPS 扩展之前,请准备你的环境来处理身份验证流量。Before you install the NPS extension, prepare you environment to handle the authentication traffic.

在已加入域的服务器上启用 NPS 角色Enable the NPS role on a domain-joined server

NPS 服务器会连接到 Azure AD,并对 MFA 请求进行身份验证。The NPS server connects to Azure AD and authenticates the MFA requests. 为此角色选择一台服务器。Choose one server for this role. 我们建议选择一台不处理来自其他服务的请求的服务器,因为对于不是 RADIUS 的任何请求,NPS 扩展都会引发错误。We recommend choosing a server that doesn't handle requests from other services, because the NPS extension throws errors for any requests that aren't RADIUS. NPS 服务器必须设置为环境的主要和次要身份验证服务器。The NPS server must be set up as the primary and secondary authentication server for your environment. 它不能将 RADIUS 请求代理到另一台服务器。It can't proxy RADIUS requests to another server.

  1. 在你的服务器上,打开“服务器管理器”。On your server, open Server Manager. 从“快速入门”菜单中选择“添加角色和功能”向导。Select Add Roles and Features Wizard from the Quickstart menu.
  2. 对于安装类型,请选择“基于角色或基于功能的安装”。For your installation type, choose Role-based or feature-based installation.
  3. 选择“网络策略和访问服务”服务器角色。Select the Network Policy and Access Services server role. 可能会弹出一个窗口,通知你运行此角色所需的其他功能。A window may pop up to inform you of additional required features to run this role.
  4. 继续完成该向导,直到出现“确认”页。Continue through the wizard until the Confirmation page. 准备就绪后,选择“安装”。When ready, select Install.

安装 NPS 服务器角色可能需要几分钟的时间。It may take a few minutes to install the NPS server role. 完成后,请继续执行以下部分,将此服务器配置为处理来自 VPN 解决方案的传入 RADIUS 请求。When finished, continue with the following sections to configure this server to handle incoming RADIUS requests from the VPN solution.

将 VPN 解决方案配置为与 NPS 服务器通信Configure your VPN solution to communicate with the NPS server

根据使用的 VPN 解决方案,配置 RADIUS 身份验证策略的步骤会有所不同。Depending on which VPN solution you use, the steps to configure your RADIUS authentication policy vary. 将你的 VPN 策略配置为指向你的 RADIUS NPS 服务器。Configure your VPN policy to point to your RADIUS NPS server.

将域用户同步到云Sync domain users to the cloud

此步骤可能已在租户上完成,但最好仔细检查 Azure AD Connect 最近是否已同步数据库。This step may already be complete on your tenant, but it's good to double-check that Azure AD Connect has synchronized your databases recently.

  1. 以管理员身份登录到 Azure 门户Sign in to the Azure portal as an administrator.
  2. 依次选择“Azure Active Directory” > “Azure AD Connect”Select Azure Active Directory > Azure AD Connect
  3. 确认同步状态是“已启用”,并确认上次同步时间是在不到一小时前。Verify that your sync status is Enabled and that your last sync was less than an hour ago.

如果需要启动新一轮的同步,请参阅 Azure AD Connect 同步:计划程序中的说明。If you need to kick off a new round of synchronization, see Azure AD Connect sync: Scheduler.

决定你的用户可以使用哪些身份验证方法Determine which authentication methods your users can use

有两个因素会影响 NPS 扩展部署可以使用哪些身份验证方法:There are two factors that affect which authentication methods are available with an NPS extension deployment:

  • 在 RADIUS 客户端(VPN、Netscaler 服务器或其他客户端)与 NPS 服务器之间使用的密码加密算法。The password encryption algorithm used between the RADIUS client (VPN, Netscaler server, or other) and the NPS servers.

    • PAP 在云中支持 Azure AD 多重身份验证的所有身份验证方法:电话呼叫、单向短信、移动应用通知、OATH 硬件令牌和移动应用验证码。PAP supports all the authentication methods of Azure AD Multi-Factor Authentication in the cloud: phone call, one-way text message, mobile app notification, OATH hardware tokens, and mobile app verification code.

    • CHAPV2EAP 支持电话呼叫和移动应用通知。CHAPV2 and EAP support phone call and mobile app notification.

      备注

      部署 NPS 扩展时,请根据这些因素评估你的用户可使用哪些方法。When you deploy the NPS extension, use these factors to evaluate which methods are available for your users. 如果你的 RADIUS 客户端支持 PAP,但客户端 UX 没有可用于输入验证码的输入字段,则电话呼叫和移动应用通知是两种受支持的选项。If your RADIUS client supports PAP, but the client UX doesn't have input fields for a verification code, then phone call and mobile app notification are the two supported options.

      另外,无论使用何种身份验证协议(PAP、CHAP 或 EAP),如果你的 MFA 方法是基于文本的(短信、移动应用验证码或 OATH 硬件令牌),并且要求用户在 VPN 客户端 UI 输入字段中输入代码或文本,则身份验证都可能会成功。Also, regardless of the authentication protocol that's used (PAP, CHAP, or EAP), if your MFA method is text-based (SMS, mobile app verification code, or OATH hardware token) and requires the user to enter a code or text in the VPN client UI input field, the authentication might succeed. 但在“网络访问策略”中配置的任何 RADIUS 属性均不转发到 RADIUS 客户端(网络访问设备,例如 VPN 网关)。 But any RADIUS attributes that are configured in the Network Access Policy are not forwarded to the RADIUS cient (the Network Access Device, like the VPN gateway). 因此,VPN 客户端可能拥有比你想让其拥有的访问权限更多的访问权限、更少的访问权限,甚至没有访问权限。As a result, the VPN client might have more access than you want it to have, or less access or no access.

  • 客户端应用程序(VPN、Netscaler 服务器或其他客户端)可以处理的输入方法。The input methods that the client application (VPN, Netscaler server, or other) can handle. 例如,VPN 客户端是否有一些手段允许用户键入通过文本或移动应用收到的验证码?For example, does the VPN client have some means to allow the user to type in a verification code from a text or mobile app?

可以在 Azure 中禁用不受支持的身份验证方法You can disable unsupported authentication methods in Azure.

用户注册 MFARegister users for MFA

在你部署并使用 NPS 扩展前,那些必须执行 Azure AD 多重身份验证的用户需要针对 MFA 进行注册。Before you deploy and use the NPS extension, users that are required to perform Azure AD Multi-Factor Authentication need to be registered for MFA. 若要在部署扩展时测试扩展,则还至少需要一个已针对 Azure AD 多重身份验证进行完全注册的测试帐户。To test the extension as you deploy it, you also need at least one test account that is fully registered for Azure AD Multi-Factor Authentication.

如果需要创建和配置测试帐户,请使用以下步骤:If you need to create and configure a test account, use the following steps:

  1. 通过测试帐户登录 https://account.activedirectory.windowsazure.cn/proofup.aspx?culture=en-USSign in to https://account.activedirectory.windowsazure.cn/proofup.aspx?culture=en-US with a test account.
  2. 按照提示设置验证方法。Follow the prompts to set up a verification method.
  3. 在 Azure 门户中以管理员用户身份创建条件访问策略,以要求对测试帐户进行多重身份验证。In the Azure portal as an admin user, create a Conditional Access policy to require multi-factor authentication for the test account.

重要

确保用户已成功针对 Azure AD 多重身份验证进行注册。Make sure that users have successfully registered for Azure AD Multi-Factor Authentication. 如果用户以前仅注册了自助式密码重置 (SSPR),则为其帐户启用 StrongAuthenticationMethods。If users have previously only registered for self-service password reset (SSPR), StrongAuthenticationMethods is enabled for their account. 配置 StrongAuthenticationMethods 时将强制执行 Azure AD 多重身份验证,即使用户仅针对 SSPR 进行了注册。Azure AD Multi-Factor Authentication is enforced when StrongAuthenticationMethods is configured, even if the user only registered for SSPR.

可以启用合并安全注册,该安全注册可同时配置 SSPR 和 Azure AD 多重身份验证。Combined security registration can be enabled that configures SSPR and Azure AD Multi-Factor Authentication at the same time.

如果用户以前仅启用了 SSPR,也可以强制用户重新注册身份验证方法You can also force users to re-register authentication methods if they previously only enabled SSPR.

安装 NPS 扩展Install the NPS extension

重要

在不同于 VPN 接入点的服务器上安装 NPS 扩展。Install the NPS extension on a different server than the VPN access point.

下载并安装用于 Azure AD MFA 的 NPS 扩展Download and install the NPS extension for Azure AD MFA

若要下载并安装 NPS 扩展,请完成以下步骤:To download and install the NPS extension, complete the following steps:

  1. 从 Microsoft 下载中心下载 NPS 扩展Download the NPS Extension from the Microsoft Download Center.
  2. 将二进制文件复制到要配置的网络策略服务器。Copy the binary to the Network Policy Server you want to configure.
  3. 运行 setup.exe 并按照安装说明操作。Run setup.exe and follow the installation instructions. 如果遇到错误,请确保已成功安装先决条件部分中的库If you encounter errors, make sure that the libraries from the prerequisite section were successfully installed.

升级 NPS 扩展Upgrade the NPS extension

如果你以后升级现有的 NPS 扩展安装,为避免重启基础服务器,请完成以下步骤:If you later upgrade an existing NPS extension install, to avoid a reboot of the underlying server, complete the following steps:

  1. 卸载现有版本。Uninstall the existing version.
  2. 运行新的安装程序。Run the new installer.
  3. 重启网络策略服务器 (IAS) 服务。Restart the Network Policy Server (IAS) service.

运行 PowerShell 脚本Run the PowerShell script

安装程序会在以下位置创建 PowerShell 脚本:C:\Program Files\Microsoft\AzureMfa\Config(其中,C:\ 是安装驱动器)。The installer creates a PowerShell script at C:\Program Files\Microsoft\AzureMfa\Config (where C:\ is your installation drive). 此 PowerShell 脚本在每次运行时执行以下操作:This PowerShell script performs the following actions each time it's run:

  • 创建自签名证书。Creates a self-signed certificate.
  • 将证书的公钥关联到 Azure AD 上的服务主体。Associates the public key of the certificate to the service principal on Azure AD.
  • 将证书存储在本地计算机证书存储中。Stores the certificate in the local machine certificate store.
  • 向网络用户授予对证书私钥的访问权限。Grants access to the certificate's private key to Network User.
  • 重新启动 NPS 服务。Restarts the NPS service.

除非你想要使用自己的证书(而不是 PowerShell 脚本生成的自签名证书),否则请运行该 PowerShell 脚本来完成 NPS 扩展安装。Unless you want to use your own certificates (instead of the self-signed certificates that the PowerShell script generates), run the PowerShell script to complete the NPS extension installation. 如果在多台服务器上安装扩展,则每台服务器都应有自己的证书。If you install the extension on multiple servers, each server should have its own certificate.

若要提供负载均衡功能或实现冗余,请根据需要在其他 NPS 服务器上重复上述步骤:To provide load-balancing capabilities or for redundancy, repeat these steps on additional NPS servers as desired:

  1. 以管理员身份打开 Windows PowerShell 提示符。Open a Windows PowerShell prompt as an administrator.

  2. 将目录更改为安装程序创建 PowerShell 脚本的位置:Change directories to where the installer created the PowerShell script:

    cd "C:\Program Files\Microsoft\AzureMfa\Config"
    
  3. 运行安装程序创建的 PowerShell 脚本。Run the PowerShell script created by the installer.

    重要

    对于使用 Azure 中国世纪互联云的客户,请先编辑 AzureMfaNpsExtnConfigSetup.ps1 脚本中的 Connect-MsolService cmdlet,使其包含所需云的 AzureEnvironment 参数。For customers that use Azure China 21Vianet clouds, first edit the Connect-MsolService cmdlets in the AzureMfaNpsExtnConfigSetup.ps1 script to include the AzureEnvironment parameters for the required cloud. 例如,指定 -AzureEnvironment AzureChinaCloud。For example, specify -AzureEnvironment AzureChinaCloud.

    有关详细信息,请参阅 Connect-MsolService 参数参考For more information, see Connect-MsolService parameter reference.

    .\AzureMfaNpsExtnConfigSetup.ps1
    
  4. 在出现提示时,以管理员身份登录到 Azure AD。When prompted, sign in to Azure AD as an administrator.

  5. PowerShell 会提示输入租户 ID。PowerShell prompts for your tenant ID. 使用在先决条件部分中从 Azure 门户复制的租户 ID GUID。Use the Tenant ID GUID that you copied from the Azure portal in the prerequisites section.

  6. 脚本完成后,会显示一条成功消息。A success message is shown when the script is finished.

如果以前的计算机证书已过期,并且已生成新证书,则应删除所有过期的证书。If your previous computer certificate has expired, and a new certificate has been generated, you should delete any expired certificates. 证书过期会导致 NPS 扩展启动出现问题。Having expired certificates can cause issues with the NPS Extension starting.

备注

如果使用自己的证书,而不是使用 PowerShell 脚本生成的证书,请确保它们符合 NPS 命名约定。If you use your own certificates instead of generating certificates with the PowerShell script, make sure that they align to the NPS naming convention. 使用者名称必须为“CN=<TenantID>,OU=Microsoft NPS Extension”。The subject name must be CN=<TenantID>,OU=Microsoft NPS Extension.

Azure 中国世纪互联的其他步骤Azure China 21Vianet additional steps

对于使用 Azure 中国世纪互联云的客户,需要在每台 NPS 服务器上执行以下额外的配置步骤。For customers that use the Azure China 21Vianet clouds, the following additional configuration steps are required on each NPS server.

重要

只有 Azure 中国世纪互联客户才需配置这些注册表设置。Only configure these registry settings if you're an Azure China 21Vianet customer.

  1. 如果你是 Azure 中国世纪互联客户,请在 NPS 服务器上打开注册表编辑器。If you're an Azure China 21Vianet customer, open Registry Editor on the NPS server.

  2. 导航到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfaNavigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.

  3. 对于 Azure 中国世纪互联客户,请设置以下注册表项值:For Azure China 21Vianet customers, set the following key values:

    注册表项Registry key Value
    AZURE_MFA_HOSTNAMEAZURE_MFA_HOSTNAME adnotifications.windowsazure.cnadnotifications.windowsazure.cn
    STS_URLSTS_URL https://login.chinacloudapi.cn/
  4. 重复上述两个步骤,为每个 NPS 服务器设置注册表项值。Repeat the previous two steps to set the registry key values for each NPS server.

  5. 为每个 NPS 服务器重启 NPS 服务。Restart the NPS service for each NPS server.

    为了最大限度地减少影响,请从 NLB 轮换中逐个移除 NPS 服务器,然后等待所有连接排出。For minimal impact, take each NPS server out of the NLB rotation one at a time and wait for all connections to drain.

证书滚动更新Certificate rollover

NPS 扩展的 1.0.1.32 版本现在支持读取多个证书。With release 1.0.1.32 of the NPS extension, reading multiple certificates is now supported. 此功能有助于在证书过期之前进行滚动更新。This capability helps facilitate rolling certificate updates prior to their expiration. 如果你的组织运行的是以前版本的 NPS 扩展,请升级到 1.0.1.32 或更高版本。If your organization is running a previous version of the NPS extension, upgrade to version 1.0.1.32 or higher.

AzureMfaNpsExtnConfigSetup.ps1 脚本创建的证书有效期为 2 年。Certificates created by the AzureMfaNpsExtnConfigSetup.ps1 script are valid for 2 years. 监视证书的到期时间。Monitor certificates for expiration. NPS 扩展的证书位于本地计算机证书存储中的 Personal 下,颁发给为安装脚本提供的租户 ID。 Certificates for the NPS extension are placed in the Local Computer certificate store under Personal and are Issued To the tenant ID provided to the installation script.

当证书接近到期日期时,应创建新的证书来替换该证书。When a certificate is approaching the expiration date, a new certificate should be created to replace it. 通过再次运行 AzureMfaNpsExtnConfigSetup.ps1 并在出现提示时保持相同的租户 ID,可以完成此过程。This process is accomplished by running the AzureMfaNpsExtnConfigSetup.ps1 again and keeping the same tenant ID when prompted. 应在环境中的每个 NPS 服务器上重复此过程。This process should be repeated on each NPS server in your environment.

配置 NPS 扩展Configure your NPS extension

你的环境已准备好,并且 NPS 扩展现已安装在所需的服务器上,可以配置该扩展了。With your environment prepared, and the NPS extension now installed on the required servers, you can configure the extension.

本部分包含一些设计注意事项和建议,帮助用户成功完成 NPS 扩展的部署。This section includes design considerations and suggestions for successful NPS extension deployments.

配置限制Configuration limitations

  • 用于 Azure AD 多重身份验证的 NPS 扩展不包含用于将用户和设置从 MFA 服务器迁移到云的工具。The NPS extension for Azure AD Multi-Factor Authentication doesn't include tools to migrate users and settings from MFA Server to the cloud. 出于此原因,我们建议将扩展用于新部署,而非现有部署。For this reason, we suggest using the extension for new deployments, rather than existing deployment. 如果在现有部署上使用扩展,用户必须重新进行证明才能在云中填充其 MFA 详细信息。If you use the extension on an existing deployment, your users have to perform proof-up again to populate their MFA details in the cloud.
  • NPS 扩展使用本地 AD DS 环境中的 UPN 来标识进行 Azure AD 多重身份验证的用户,以便执行辅助身份验证。无法将该扩展配置为使用其他标识符,例如备用登录 ID,或者除 UPN 以外的自定义 AD DS 字段。The NPS extension uses the UPN from the on-premises AD DS environment to identify the user on Azure AD Multi-Factor Authentication for performing the Secondary Auth. The extension can be configured to use a different identifier like alternate login ID or custom AD DS field other than UPN. 有关详细信息,请参阅用于多重身份验证的 NPS 扩展的高级配置选项一文。For more information, see the article, Advanced configuration options for the NPS extension for Multi-Factor Authentication.
  • 并非所有加密协议都支持所有验证方法。Not all encryption protocols support all verification methods.
    • PAP 支持电话呼叫、单向短信、移动应用通知和移动应用验证码PAP supports phone call, one-way text message, mobile app notification, and mobile app verification code
    • CHAPV2EAP 支持电话呼叫和移动应用通知CHAPV2 and EAP support phone call and mobile app notification

控制需要 MFA 的 RADIUS 客户端Control RADIUS clients that require MFA

使用 NPS 扩展为 RADIUS 客户端启用 MFA 后,此客户端的所有身份验证都需要执行 MFA。Once you enable MFA for a RADIUS client using the NPS extension, all authentications for this client are required to perform MFA. 如果想要为一部分(而不是全部)RADIUS 客户端启用 MFA,可以配置两台 NPS 服务器,并只在其中一台服务器上安装该扩展。If you want to enable MFA for some RADIUS clients but not others, you can configure two NPS servers and install the extension on only one of them.

将需要执行 MFA 的 RADIUS 客户端配置为向配置了该扩展的 NPS 服务器发送请求,将其他 RADIUS 客户端配置为向未配置该扩展的 NPS 服务器发送请求。Configure RADIUS clients that you want to require MFA to send requests to the NPS server configured with the extension, and other RADIUS clients to the NPS server not configured with the extension.

为未注册 MFA 的用户做好准备Prepare for users that aren't enrolled for MFA

如果你的某些用户未注册 MFA,你可以确定当他们尝试身份验证时要发生什么行为。If you have users that aren't enrolled for MFA, you can determine what happens when they try to authenticate. 若要控制此行为,请使用注册表路径 HKLM\Software\Microsoft\AzureMFA 中的 REQUIRE_USER_MATCH 设置。 To control this behavior, use the setting REQUIRE_USER_MATCH in the registry path HKLM\Software\Microsoft\AzureMFA. 此项设置提供单个配置选项:This setting has a single configuration option:

密钥Key Value 默认Default
REQUIRE_USER_MATCHREQUIRE_USER_MATCH TRUE/FALSETRUE/FALSE 未设置(相当于 TRUE)Not set (equivalent to TRUE)

此设置决定了当用户未针对 MFA 进行注册时要执行的操作。This setting determines what to do when a user isn't enrolled for MFA. 如果该注册表项不存在、未设置,或设置为 TRUE,并且用户未注册,则该扩展将通不过 MFA 质询。When the key doesn't exist, is not set, or is set to TRUE, and the user isn't enrolled, the extension fails the MFA challenge.

如果该注册表项设置为 FALSE 并且用户未注册,则身份验证会继续且不执行 MFA。When the key is set to FALSE and the user isn't enrolled, authentication proceeds without performing MFA. 如果用户在 MFA 中注册,则即使 REQUIRE_USER_MATCH 设置为 FALSE,用户也必须使用 MFA 进行身份验证。 If a user is enrolled in MFA, they must authenticate with MFA even if REQUIRE_USER_MATCH is set to FALSE.

当你的用户正在加入,可能尚未全部针对 Azure AD 多重身份验证进行注册时,你可以选择创建该注册表项并将其设置为 FALSE。You can choose to create this key and set it to FALSE while your users are onboarding, and may not all be enrolled for Azure AD Multi-Factor Authentication yet. 但是,由于设置该键允许未注册 MFA 的用户登录,因此应在转到生产环境之前删除该键。However, since setting the key permits users that aren't enrolled for MFA to sign in, you should remove this key before going to production.

疑难解答Troubleshooting

NPS 扩展运行状况检查脚本NPS extension health check script

对 NPS 扩展进行故障排除时,可以使用以下脚本执行基本的运行状况检查步骤。The following script is available to perform basic health check steps when troubleshooting the NPS extension.

MFA_NPS_Troubleshooter.ps1MFA_NPS_Troubleshooter.ps1

如何验证是否已按预期安装了客户端证书?How do I verify that the client cert is installed as expected?

请在证书存储中查找安装程序创建的自签名证书,然后检查私钥中是否包含授予“网络服务”用户的权限。Look for the self-signed certificate created by the installer in the cert store, and check that the private key has permissions granted to user NETWORK SERVICE. 证书的使用者名称为“CN <tenantid>, OU = Microsoft NPS Extension”The cert has a subject name of CN <tenantid>, OU = Microsoft NPS Extension

AzureMfaNpsExtnConfigSetup.ps1 脚本生成的自签名证书的有效期为两年。Self-signed certificates generated by the AzureMfaNpsExtnConfigSetup.ps1 script have a validity lifetime of two years. 验证是否已安装证书时,还应检查证书是否尚未过期。When verifying that the certificate is installed, you should also check that the certificate hasn't expired.

如何验证客户端证书是否已关联到 Azure AD 中的租户?How can I verify that my client certificate is associated to my tenant in Azure AD?

打开 PowerShell 命令提示符并运行以下命令:Open PowerShell command prompt and run the following commands:

import-module MSOnline
Connect-MsolService -AzureEnvironment AzureChinaCloud
Get-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -ReturnKeyValues 1

这些命令会在 PowerShell 会话中列显所有可将你的租户与 NPS 扩展实例相关联的证书。These commands print all the certificates associating your tenant with your instance of the NPS extension in your PowerShell session. 通过将客户端证书导出为不带私钥的“Base-64 编码 X.509(.cer)”文件来查找你的证书,并将它与 PowerShell 中的列表进行比较。Look for your certificate by exporting your client cert as a Base-64 encoded X.509(.cer) file without the private key, and compare it with the list from PowerShell.

以下命令将在 C: 驱动器的根目录下以 .cer 格式创建名为“npscertificate”的文件。 The following command will create a file named npscertificate at the root of your C: drive in format .cer.

import-module MSOnline
Connect-MsolService -AzureEnvironment AzureChinaCloud
Get-MsolServicePrincipalCredential -AppPrincipalId "981f26a1-7f43-403b-a875-f8b09b8cd720" -ReturnKeyValues 1 | select -ExpandProperty "value" | out-file c:\npscertificate.cer

运行此命令后,转到 C: 驱动器的根目录,找到该文件并双击它。After you run this command, go to the root of your C: drive, locate the file, and double-click on it. 转到“详细信息”并向下滚动到“指纹”。Go to details, and scroll down to "thumbprint". 将服务器上安装的证书的指纹与此指纹进行比较。Compare the thumbprint of the certificate installed on the server to this one. 证书指纹应匹配。The certificate thumbprints should match.

如果该命令返回了多个证书,可以使用 Valid-From 和 Valid-Until 时间戳(采用用户可读格式)来筛选出明显不相符的项。 Valid-From and Valid-Until timestamps, which are in human-readable form, can be used to filter out obvious misfits if the command returns more than one cert.

为什么无法登录?Why cannot I sign in?

检查密码是否未过期。Check that your password hasn't expired. NPS 扩展不支持在登录工作流中更改密码。The NPS extension doesn't support changing passwords as part of the sign-in workflow. 请与组织的 IT 人员联系以获得进一步的帮助。Contact your organization's IT Staff for further assistance.

我的请求为何失败并返回 ADAL 令牌错误?Why are my requests failing with ADAL token error?

此错误可能是多种原因之一造成的。This error could be due to one of several reasons. 请使用以下步骤进行故障排除:Use the following steps to troubleshoot:

  1. 重新启动 NPS 服务器。Restart your NPS server.
  2. 验证是否已按预期安装了客户端证书。Verify that client cert is installed as expected.
  3. 验证该证书是否与 Azure AD 上的租户关联。Verify that the certificate is associated with your tenant on Azure AD.
  4. 验证是否可以从运行该扩展的服务器访问 https://login.partner.microsoftonline.cn/Verify that https://login.partner.microsoftonline.cn/ is accessible from the server running the extension.

身份验证为何失败并在 HTTP 日志中返回一条错误,指出找不到用户?Why does authentication fail with an error in HTTP logs stating that the user is not found?

验证 AD Connect 是否正在运行,以及该用户是否同时存在于本地 AD DS 环境和 Azure AD 中。Verify that AD Connect is running, and that the user is present in both the on-premises AD DS environment and in Azure AD.

日志中为何出现 HTTP 连接错误,并且所有身份验证都失败?Why do I see HTTP connect errors in logs with all my authentications failing?

验证是否可以从运行该 NPS 扩展的服务器访问 https://adnotifications.azure.cnVerify that https://adnotifications.azure.cn is reachable from the server running the NPS extension.

为什么尽管存在有效的证书,身份验证也不起作用?Why is authentication not working, despite a valid certificate being present?

如果以前的计算机证书已过期,并且已生成新证书,请删除所有过期的证书。If your previous computer certificate has expired, and a new certificate has been generated, delete any expired certificates. 过期证书可能会导致 NPS 扩展启动出现问题。Expired certificates can cause issues with the NPS extension starting.

若要检查你是否具有有效的证书,请使用 MMC 检查本地计算机帐户的证书存储,确保证书尚未过期。To check if you have a valid certificate, check the local Computer Account's Certificate Store using MMC, and ensure the certificate hasn't passed its expiry date. 若要生成新的有效证书,请重新运行运行 PowerShell 安装程序脚本中的步骤。To generate a newly valid certificate, rerun the steps from Run the PowerShell installer script.

为什么会在 NPS 服务器日志中看到丢弃的请求?Why do I see discarded requests in the NPS server logs?

如果超时值太小,VPN 服务器可能会向 NPS 服务器发送重复的请求。A VPN server may send repeated requests to the NPS server if the timeout value is too low. NPS 服务器会检测到这些重复的请求并将其丢弃。The NPS server detects these duplicate requests and discards them. 此行为是设计使然,并不表示 NPS 服务器或 Azure AD 多重身份验证 NPS 扩展存在问题。This behavior is by design, and doesn't indicate a problem with the NPS server or the Azure AD Multi-Factor Authentication NPS extension.

若要详细了解 NPS 服务器日志中出现丢弃的数据包的原因,请参阅本文开头的 RADIUS 协议行为和 NPS 扩展For more information on why you see discarded packets in the NPS server logs, see RADIUS protocol behavior and the NPS extension at the start of this article.

管理 TLS/SSL 协议和密码套件Managing the TLS/SSL Protocols and Cipher Suites

建议禁用或删除较旧和较弱的密码套件,除非组织需要这些套件。It's recommended that older and weaker cipher suites be disabled or removed unless required by your organization. 若要了解如何完成此任务,可以参阅为 AD FS 管理 SSL/TLS 协议和密码套件一文。Information on how to complete this task can be found in the article, Managing SSL/TLS Protocols and Cipher Suites for AD FS

更多故障排除方法Additional troubleshooting

可在解决 Azure AD 多重身份验证的 NPS 扩展出现的错误消息一文中找到其他故障排除指南和可能的解决方案。Additional troubleshooting guidance and possible solutions can be found in the article, Resolve error messages from the NPS extension for Azure AD Multi-Factor Authentication.

后续步骤Next steps