解决 Azure AD 多重身份验证的 NPS 扩展出现的错误消息Resolve error messages from the NPS extension for Azure AD Multi-Factor Authentication

如果在使用 Azure AD 多重身份验证的 NPS 扩展时遇到错误,请参考本文快速解决问题。If you encounter errors with the NPS extension for Azure AD Multi-Factor Authentication, use this article to reach a resolution faster. NPS 扩展日志可以在安装 NPS 扩展的服务器上事件查看器中“自定义视图” > “服务器角色” > “网络策略和访问服务”下找到。NPS extension logs are found in Event Viewer under Custom Views > Server Roles > Network Policy and Access Services on the server where the NPS Extension is installed.

解决常见错误的故障排除步骤Troubleshooting steps for common errors

错误代码Error code 疑难解答步骤Troubleshooting steps
CONTACT_SUPPORTCONTACT_SUPPORT 联系支持人员,并指明收集日志的步骤列表。Contact support, and mention the list of steps for collecting logs. 尽量详细地提供出错之前发生的情况,包括租户 ID 和用户主体名称 (UPN)。Provide as much information as you can about what happened before the error, including tenant ID, and user principal name (UPN).
CLIENT_CERT_INSTALL_ERRORCLIENT_CERT_INSTALL_ERROR 客户端证书的安装方式或者与租户的关联方式可能有问题。There may be an issue with how the client certificate was installed or associated with your tenant. 遵循排查 MFA NPS 扩展问题中的说明调查客户端证书问题。Follow the instructions in Troubleshooting the MFA NPS extension to investigate client cert problems.
ESTS_TOKEN_ERRORESTS_TOKEN_ERROR 遵循排查 MFA NPS 扩展问题中的说明调查客户端证书和 ADAL 令牌问题。Follow the instructions in Troubleshooting the MFA NPS extension to investigate client cert and ADAL token problems.
HTTPS_COMMUNICATION_ERRORHTTPS_COMMUNICATION_ERROR NPS 服务器无法从 Azure AD MFA 接收响应。The NPS server is unable to receive responses from Azure AD MFA. 验证防火墙是否双向打开,用于传入和传出 https://adnotifications.azure.cn 的流量Verify that your firewalls are open bidirectionally for traffic to and from https://adnotifications.azure.cn
HTTP_CONNECT_ERRORHTTP_CONNECT_ERROR 在运行 NPS 扩展的服务器上,验证是否可访问 https://adnotifications.azure.cnhttps://login.partner.microsoftonline.cn/On the server that runs the NPS extension, verify that you can reach https://adnotifications.azure.cn and https://login.partner.microsoftonline.cn/. 如果无法加载这些站点,请排查该服务器上的连接问题。If those sites don't load, troubleshoot connectivity on that server.
Azure AD MFA 的 NPS 扩展:NPS Extension for Azure AD MFA:
Azure AD MFA 的 NPS 扩展仅对处于 AccessAccept 状态的 Radius 请求执行辅助身份验证。NPS Extension for Azure AD MFA only performs Secondary Auth for Radius requests in AccessAccept State. 收到响应状态为 AccessReject 的用户用户名请求,将忽略请求。Request received for User username with response state AccessReject, ignoring request.
此错误通常反映了 AD 中的身份验证失败,或者 NPS 服务器无法接收来自 Azure AD 的响应。This error usually reflects an authentication failure in AD or that the NPS server is unable to receive responses from Azure AD. 使用端口 80 和 443 验证防火墙是否双向打开,以便流量进出 https://adnotifications.azure.cnhttps://login.partner.microsoftonline.cnVerify that your firewalls are open bidirectionally for traffic to and from https://adnotifications.azure.cn and https://login.partner.microsoftonline.cn using ports 80 and 443. 另外,还要务必检查“网络访问权限”的“拨入”选项卡上的设置是否设置为“通过 NPS 网络策略控制访问”。It is also important to check that on the DIAL-IN tab of Network Access Permissions, the setting is set to "control access through NPS Network Policy". 如果没有为用户分配许可证,则也会触发此错误。This error can also trigger if the user is not assigned a license.
REGISTRY_CONFIG_ERRORREGISTRY_CONFIG_ERROR 注册表中缺少应用程序的某个项,原因可能是 PowerShell 脚本不是在安装后运行的。A key is missing in the registry for the application, which may be because the PowerShell script wasn't run after installation. 错误消息应包括缺少的项。The error message should include the missing key. 请确保在 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa 下创建该项。Make sure you have the key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
REQUEST_FORMAT_ERRORREQUEST_FORMAT_ERROR
Radius 请求缺少必需的 Radius userName\Identifier 属性。请验证 NPS 是否能够接收 RADIUS 请求Radius Request missing mandatory Radius userName\Identifier attribute.Verify that NPS is receiving RADIUS requests
此错误通常反映了安装问题。This error usually reflects an installation issue. 必须在可以接收 RADIUS 请求的 NPS 服务器上安装 NPS 扩展。The NPS extension must be installed in NPS servers that can receive RADIUS requests. 安装为 RRAS 和 RDG 等服务的依赖项的 NPS 服务器无法接收 Radius 请求。NPS servers that are installed as dependencies for services like RDG and RRAS don't receive radius requests. 安装在此类安装中的 NPS 扩展无法正常工作并会出错,因为它无法读取身份验证请求中的详细信息。NPS Extension does not work when installed over such installations and errors out since it cannot read the details from the authentication request.
REQUEST_MISSING_CODEREQUEST_MISSING_CODE 请确保 NPS 和 NAS 服务器之间密码加密协议支持你正在使用的辅助身份验证方法。Make sure that the password encryption protocol between the NPS and NAS servers supports the secondary authentication method that you're using. PAP 在云中支持 Azure AD MFA 的所有身份验证方法:电话呼叫、单向短信、移动应用通知和移动应用验证码。PAP supports all the authentication methods of Azure AD MFA in the cloud: phone call, one-way text message, mobile app notification, and mobile app verification code. CHAPV2EAP 支持电话呼叫和移动应用通知。CHAPV2 and EAP support phone call and mobile app notification.
USERNAME_CANONICALIZATION_ERRORUSERNAME_CANONICALIZATION_ERROR 验证该用户是否在本地 Active Directory 实例中存在,以及 NPS 服务是否有权访问目录。Verify that the user is present in your on-premises Active Directory instance, and that the NPS Service has permissions to access the directory. 如果使用跨林信任,请联系支持人员,以获得进一步的帮助。If you are using cross-forest trusts, contact support for further help.

备用登录 ID 错误Alternate login ID errors

错误代码Error code 错误消息Error message 疑难解答步骤Troubleshooting steps
ALTERNATE_LOGIN_ID_ERRORALTERNATE_LOGIN_ID_ERROR 错误:userObjectSid 查找失败Error: userObjectSid lookup failed 验证用户是否存在于本地 Active Directory 实例中。Verify that the user exists in your on-premises Active Directory instance. 如果使用跨林信任,请联系支持人员,以获得进一步的帮助。If you are using cross-forest trusts, contact support for further help.
ALTERNATE_LOGIN_ID_ERRORALTERNATE_LOGIN_ID_ERROR 错误:备用 LoginId 查找失败Error: Alternate LoginId lookup failed 验证 LDAP_ALTERNATE_LOGINID_ATTRIBUTE 是否已设置为有效的 Active Directory 属性Verify that LDAP_ALTERNATE_LOGINID_ATTRIBUTE is set to a valid active directory attribute.

如果 LDAP_FORCE_GLOBAL_CATALOG 设置为 True,或者 LDAP_LOOKUP_FORESTS 配置了非空值,请验证是否已配置全局目录以及是否已将 AlternateLoginId 属性添加到它。If LDAP_FORCE_GLOBAL_CATALOG is set to True, or LDAP_LOOKUP_FORESTS is configured with a non-empty value, verify that you have configured a Global Catalog and that the AlternateLoginId attribute is added to it.

如果 LDAP_LOOKUP_FORESTS 配置了非空值,请验证该值是否正确。If LDAP_LOOKUP_FORESTS is configured with a non-empty value, verify that the value is correct. 如果有多个林名称,必须用分号(而不是空格)分隔名称。If there is more than one forest name, the names must be separated with semi-colons, not spaces.

如果这些步骤不能解决此问题,请与支持人员联系获取更多帮助。If these steps don't fix the problem, contact support for more help.
ALTERNATE_LOGIN_ID_ERRORALTERNATE_LOGIN_ID_ERROR 错误:备用 LoginId 值为空Error: Alternate LoginId value is empty 验证是否为用户配置了 AlternateLoginId 属性。Verify that the AlternateLoginId attribute is configured for the user.

用户可能会遇到的错误Errors your users may encounter

错误代码Error code 错误消息Error message 疑难解答步骤Troubleshooting steps
AccessDeniedAccessDenied 调用方租户无权针对用户执行身份验证Caller tenant does not have access permissions to do authentication for the user 检查租户域和用户主体名称 (UPN) 的域是否相同。Check whether the tenant domain and the domain of the user principal name (UPN) are the same. 例如,确保 user@contoso.com 正在尝试向 Contoso 租户进行身份验证。For example, make sure that user@contoso.com is trying to authenticate to the Contoso tenant. UPN 代表 Azure 中的租户的有效用户。The UPN represents a valid user for the tenant in Azure.
AuthenticationMethodNotConfiguredAuthenticationMethodNotConfigured 未为用户配置指定的身份验证方法The specified authentication method was not configured for the user 请让用户根据管理双重验证设置中的说明添加或检查其验证方法。Have the user add or verify their verification methods according to the instructions in Manage your settings for two-step verification.
AuthenticationMethodNotSupportedAuthenticationMethodNotSupported 指定的身份验证方法不受支持。Specified authentication method is not supported. 请收集包含此错误的所有日志,并联系支持人员Collect all your logs that include this error, and contact support. 联系支持人员时,请提供用户名以及触发该错误的辅助验证方法。When you contact support, provide the username and the secondary verification method that triggered the error.
BecAccessDeniedBecAccessDenied MSODS Bec 调用返回了拒绝访问错误,原因可能是租户中未定义用户名MSODS Bec call returned access denied, probably the username is not defined in the tenant 该用户在本地 Active Directory 中存在,但未由 AD Connect 同步到 Azure AD。The user is present in Active Directory on-premises but is not synced into Azure AD by AD Connect. 或者,租户中缺少该用户。Or, the user is missing for the tenant. 请将该用户添加到 Azure AD,并让其根据管理双重验证设置中的说明添加或检查其验证方法。Add the user to Azure AD and have them add their verification methods according to the instructions in Manage your settings for two-step verification.
InvalidFormatStrongAuthenticationServiceInvalidParameterInvalidFormat or StrongAuthenticationServiceInvalidParameter 电话号码采用了无法识别的格式The phone number is in an unrecognizable format 请让用户更正其验证电话号码。Have the user correct their verification phone numbers.
InvalidSessionInvalidSession 指定的会话无效或已过期The specified session is invalid or may have expired 完成会话花费的时间超过三分钟。The session has taken more than three minutes to complete. 验证用户是否在发起身份验证请求后的三分钟内输入了验证码或者对应用通知做出了响应。Verify that the user is entering the verification code, or responding to the app notification, within three minutes of initiating the authentication request. 如果仍未解决问题,请检查客户端、NAS 服务器、NPS 服务器和 Azure AD MFA 终结点之间是否未出现网络延迟。If that doesn't fix the problem, check that there are no network latencies between client, NAS Server, NPS Server, and the Azure AD MFA endpoint.
NoDefaultAuthenticationMethodIsConfiguredNoDefaultAuthenticationMethodIsConfigured 未为用户配置默认的身份验证方法No default authentication method was configured for the user 请让用户根据管理双重验证设置中的说明添加或检查其验证方法。Have the user add or verify their verification methods according to the instructions in Manage your settings for two-step verification. 验证用户是否已选择默认身份验证方法,并为其帐户配置了该方法。Verify that the user has chosen a default authentication method, and configured that method for their account.
OathCodePinIncorrectOathCodePinIncorrect 输入了错误的代码和 PIN。Wrong code and pin entered. NPS 扩展中应该不会出现此错误。This error is not expected in the NPS extension. 如果用户遇到此错误,请联系支持人员以获得故障排除帮助。If your user encounters this, contact support for troubleshooting help.
ProofDataNotFoundProofDataNotFound 未为指定的身份验证方法配置证明数据。Proof data was not configured for the specified authentication method. 请让用户尝试不同的验证方法,或者根据管理双重验证设置中的说明添加新的验证方法。Have the user try a different verification method, or add a new verification methods according to the instructions in Manage your settings for two-step verification. 如果确认用户的验证方法已正确设置后用户仍看到此错误,请联系支持人员If the user continues to see this error after you confirmed that their verification method is set up correctly, contact support.
SMSAuthFailedWrongCodePinEnteredSMSAuthFailedWrongCodePinEntered 输入了错误的代码和 PIN。Wrong code and pin entered. (OneWaySMS)(OneWaySMS) NPS 扩展中应该不会出现此错误。This error is not expected in the NPS extension. 如果用户遇到此错误,请联系支持人员以获得故障排除帮助。If your user encounters this, contact support for troubleshooting help.
TenantIsBlockedTenantIsBlocked 租户已被阻止Tenant is blocked 请联系支持人员并提供 Azure 门户中 Azure AD 属性页上的租户 ID。Contact support with the Tenant ID from the Azure AD properties page in the Azure portal.
UserNotFoundUserNotFound 找不到指定的用户The specified user was not found 该租户在 Azure AD 中不再显示为活动状态。The tenant is no longer visible as active in Azure AD. 检查订阅是否处于活动状态,并且已创建所需的第一方应用。Check that your subscription is active and you have the required first party apps. 此外,请确保证书使用者中的租户符合预期,并且该证书仍然有效且已在服务主体下注册。Also make sure the tenant in the certificate subject is as expected and the cert is still valid and registered under the service principal.

用户可能会遇到的不属于错误的消息Messages your users may encounter that aren't errors

有时,由于身份验证请求失败,用户可能会收到多重身份验证发出的消息。Sometimes, your users may get messages from Multi-Factor Authentication because their authentication request failed. 在配置产品中,这些消息并不属于错误,而是有意发出的警告,旨在解释身份验证请求被拒绝的原因。These aren't errors in the product of configuration, but are intentional warnings explaining why an authentication request was denied.

错误代码Error code 错误消息Error message 建议的步骤Recommended steps
OathCodeIncorrectOathCodeIncorrect 输入了错误的代码\OATH 代码不正确Wrong code entered\OATH Code Incorrect 用户输入了错误的代码。The user entered the wrong code. 让他们通过请求新的代码或重新登录来重试。Have them try again by requesting a new code or signing in again.
SMSAuthFailedMaxAllowedCodeRetryReachedSMSAuthFailedMaxAllowedCodeRetryReached 达到了允许的代码重试次数上限Maximum allowed code retry reached 用户通不过验证质询的次数过多。The user failed the verification challenge too many times. 根据设置,管理员可能需要立即将他们解除阻止。Depending on your settings, they may need to be unblocked by an admin now.
SMSAuthFailedWrongCodeEnteredSMSAuthFailedWrongCodeEntered 输入了错误的代码/短信 OTP 不正确Wrong code entered/Text Message OTP Incorrect 用户输入了错误的代码。The user entered the wrong code. 让他们通过请求新的代码或重新登录来重试。Have them try again by requesting a new code or signing in again.

需要支持人员解决的错误Errors that require support

如果遇到以下错误之一,我们建议联系支持人员来获得诊断帮助。If you encounter one of these errors, we recommend that you contact support for diagnostic help. 没有任何一组标准步骤可以解决这些错误。There's no standard set of steps that can address these errors. 联系支持人员时,请务必尽量详细地包含有关哪些步骤导致出错的信息以及租户信息。When you do contact support, be sure to include as much information as possible about the steps that led to an error, and your tenant information.

错误代码Error code 错误消息Error message
InvalidParameterInvalidParameter 请求不能 nullRequest must not be null
InvalidParameterInvalidParameter ReplicationScope {0} 的 ObjectId 不能为 null 或空ObjectId must not be null or empty for ReplicationScope:{0}
InvalidParameterInvalidParameter CompanyName {0}\ 的长度超过最大允许长度 {1}The length of CompanyName {0}\ is longer than the maximum allowed length {1}
InvalidParameterInvalidParameter UserPrincipalName 不能为 null 或空UserPrincipalName must not be null or empty
InvalidParameterInvalidParameter 提供的 TenantId 未采用正确的格式The provided TenantId is not in correct format
InvalidParameterInvalidParameter SessionId 不能为 null 或空SessionId must not be null or empty
InvalidParameterInvalidParameter 无法解析请求或 Msods 中的任何 ProofData。Could not resolve any ProofData from request or Msods. ProofData 未知The ProofData is unKnown
InternalErrorInternalError
OathCodePinIncorrectOathCodePinIncorrect
VersionNotSupportedVersionNotSupported
MFAPinNotSetupMFAPinNotSetup

后续步骤Next steps

排查用户帐户问题Troubleshoot user accounts

如果用户在使用双重验证时遇到问题,请帮助他们自我诊断问题。If your users are Having trouble with two-step verification, help them self-diagnose problems.

运行状况检查脚本Health check script

当对 NPS 扩展进行故障排除时,Azure AD MFA NPS 扩展运行状况检查脚本执行基本的运行状况检查。The Azure AD MFA NPS Extension health check script performs a basic health check when troubleshooting the NPS extension. 运行脚本,然后选择选项 3。Run the script and choose option 3.

请与 Microsoft 支持部门联系Contact Microsoft support

如需更多帮助,请通过 Azure 多重身份验证服务器支持联系支持专业人员。If you need additional help, contact a support professional through Azure Multi-Factor Authentication Server support. 与我们联系时,尽可能包含有关问题的更多信息将很有帮助。When contacting us, it's helpful if you can include as much information about your issue as possible. 可提供的信息包括看到错误的页面、特定错误代码、特定会话 ID、看到错误的用户的 ID 和调试日志。Information you can supply includes the page where you saw the error, the specific error code, the specific session ID, the ID of the user who saw the error, and debug logs.

若要收集支持诊断的调试日志,请在 NPS 服务器上使用以下步骤:To collect debug logs for support diagnostics, use the following steps on the NPS server:

  1. 打开注册表编辑器并浏览到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa,将 VERBOSE_LOG 设置为 TRUEOpen Registry Editor and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa set VERBOSE_LOG to TRUE

  2. 打开管理员命令提示符并运行以下命令:Open an Administrator command prompt and run these commands:

    Mkdir c:\NPS
    Cd NPS
    netsh trace start Scenario=NetConnection capture=yes tracefile=c:\NPS\nettrace.etl
    logman create trace "NPSExtension" -ow -o c:\NPS\NPSExtension.etl -p {7237ED00-E119-430B-AB0F-C63360C8EE81} 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets
    logman update trace "NPSExtension" -p {EC2E6D3A-C958-4C76-8EA4-0262520886FF} 0xffffffffffffffff 0xff -ets
    
  3. 再现问题Reproduce the issue

  4. 使用以下命令停止跟踪:Stop the tracing with these commands:

    logman stop "NPSExtension" -ets
    netsh trace stop
    wevtutil epl AuthNOptCh C:\NPS\%computername%_AuthNOptCh.evtx
    wevtutil epl AuthZOptCh C:\NPS\%computername%_AuthZOptCh.evtx
    wevtutil epl AuthZAdminCh C:\NPS\%computername%_AuthZAdminCh.evtx
    Start .
    
  5. 打开注册表编辑器并浏览到 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa,将 VERBOSE_LOG 设置为 FALSEOpen Registry Editor and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa set VERBOSE_LOG to FALSE

  6. 压缩 C:\NPS 文件夹的内容,并将压缩文件附加到支持案例中。Zip the contents of the C:\NPS folder and attach the zipped file to the support case.