Citrix NetScaler Gateway: NPS Extension for Azure MFA fails after introducing the Microsoft Domain Controller security baseline

Microsoft offers a nice set of security baseline GPOs, for direct use in your Active Directory environment. If you make use of the “MSFT Windows Server 2022 – Domain Controller” policy, your NPS installation might start to fail.

Introduction

Many of you probably have a Citrix NetScaler Gateway installation based on the following concept:

Manuel Winkel (deyda):

Microsoft Azure MFA Cloud Service in Citrix ADC

Thomas Preischl:

Citrix ADC / Netscaler Azure MFA Authentication

Those articles describe, how someone can implement Azure MFA with Microsoft Authenticator App pushOTP and an on-premises Microsoft NPS server, without making use of SAML, which is necessary, if you use the ICAProxy Gateway only license for Citrix NetScaler Gateway.

The Error

While implementing the Microsoft security baselines at a customers’ site, we also introduced the Domain Controllers security baseline called:
MSFT Windows Server 2022 – Domain Controller

MSFT Windows Server 2022 - Domain Controller
MSFT Windows Server 2022 – Domain Controller

A few minutes later, the external Citrix NetScaler Gateway authentication stopped working. Users would only receive the error:
Unknown username or password

Citrix NetScaler Gateway - Login failed
Citrix NetScaler Gateway – Login failed

Troubleshooting on the Citrix NetScaler Gateway through the aaad.debug showed the following error:

MS-CHAP error ERROR_AUTHENTICATION_FAILURE (691)

MS-CHAP error ERROR_AUTHENTICATION_FAILURE (691)
MS-CHAP error ERROR_AUTHENTICATION_FAILURE (691)

While the event viewer on the NPS server told us:

NPS Extension for Azure MFA: NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User Marco.Hofmann with response state AccessReject, ignoring request.

NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User Marco.Hofmann with response state AccessReject, ignoring request.
NPS Extension for Azure MFA only performs Secondary Auth for Radius requests in AccessAccept State. Request received for User Marco.Hofmann with response state AccessReject, ignoring request.

The solution

The error weren’t helpful at all. We spent quite too much time searching for an indicator of what might be the issue. We knew it must have to do with the Domain Controller security baseline. Finally, we stumbled at the following post from serverfault.com:

https://serverfault.com/questions/608227/authentication-via-radius-mschapv2-error-691

One of my colleagues was at a Microsoft conference having various discussions when it dawned on him that MSCHAPv2 relies on NTLM to generate the password challenges and responses. Now plain old MSCHAP and MSCHAPv2 (i.e. not EAP-MSCHAPv2 or PEAP) when used in Windows RAS services will use NTLMv1 by default.

As many of of you have already started to catch on, we, like many administrators, have disabled NTLMv1 on our DCs and as such the DCs will only accept NTLMv2 requests. This explains why the failure I continued to get was a “bad password” error. The password being sent to the DCs was in NTLMv1 format and was getting ignored.

This post then lets to a Microsoft article, with the solution:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/rras-vpn-connections-fail-ms-chapv2-authentication

For example, when you set this value to 5 (Send NTLMv2 response only. Refuse LM & NTLM), the DC won’t accept any requests that use NTLM authentication. When MS-CHAP or MS-CHAPv2 are configured, RAS in Windows Server 2008 R2 will default to NTLM to hash the password. Because the DC only accepts NTLMv2, the request will be denied.

Microsoft NPS on Windows Server 2019 and 2022 will use NTLMv1 by default, if you make use of MS-CHAPv2. And the MSFT Windows Server 2022 – Domain Controller security baseline will turn off NTLMv1 for your Domain Controllers, which will break your NPS server.

To enable NTLMv2 for MS-CHAPv2, you must set the following registry key on your NPS server, and restart the NPS service, and it will start working again:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy]
"Enable NTLMv2 Compatibility"=dword:00000001

Enable NTLMv2 Compatibility
Enable NTLMv2 Compatibility

I hope this will help someone else!

Transition from BIS-F version 6.1.3 to 7.1912.x

With the release of the Base Image Script Framework (BIS-F) version 7.1912.x a few minor changes in the ADMX template files occurred.

We are going to outline the changes necessary to your current deployment.

Continue reading “Transition from BIS-F version 6.1.3 to 7.1912.x”

My first time: Citrix Machine Creation Services (MCS)

After years of MCS virginity I decided it’s finally time to ditch the little farms and try out good ol’ Citrix Machine Creation Services.

Introduction

So today is my very first time: After years of MCS virginity I decided it’s finally time to ditch the little farms and try out good ol’ Citrix Machine Creation Services. In the last ten years I almost exclusively installed small deployments. The big ones have about 150 concurrent user. All are build upon XenApp 6.5 or XenApp 7.6+ with static persistent virtual machines. I always told myself, that static persistent virtual machines, together with a fully automated patch management (for example: PDQ) are enough. And this is still true, because the maintenance effort is virtually not existent. But it really bugs me, that I’m not equally familiar with at least one of the provisioning methods. You might ask, why I don’t try to learn PVS instead. Well, the simple reason is that my stomach tells me not to. The more valid reason is that MCS is included in every XenApp license and doesn’t require additional infrastructure. And additional infrastructure is always a really big topic for the customer.

This blog post won’t be a real classical Blog HowTo Guide, but more of a report of my journey to help me keep track about what I do. Maybe others suffer the same knowledge gap and are interested in my findings and the path I take. Continue reading “My first time: Citrix Machine Creation Services (MCS)”

Group Policy: Show only specified Control Panel items for Outlook 2016 via Office 365

Quick Tip Blog article: HowTo whitelist the Outlook 2016/Office 365 control panel item correctly.

I just stumbled over something at a customers environment. We had a Outlook 2016 / Office 365 problem in a XenApp session. We tried to access the Outlook control panel item, but it was missing. This was no surprise, as we have the GPO…

…enabled in every environment. This acts as a whitelisting for the control panel items, so the user only has access to those items, that matter to him. Continue reading “Group Policy: Show only specified Control Panel items for Outlook 2016 via Office 365”

Taking back control of Windows Update: Install Updates when you want to!

For years we were more than unsatisfied with the options we had to choose from to patch our Microsoft Windows Servers. Without additional utility you are restricted to the few options Group Policy offers. So as I am always searching for a simple but efficient solution to such a painful problem, I combined two fantastic tools, to a powerful Windows Update Scheduler: PDQ Deploy and ABC Update.

tl;dr: If you choose option “3 – Auto download and notify for install” for your WSUS Group Policy, you can take any advanced Task Scheduler like PDQ Deploy in combination with ABC-Update to install Windows Updates scheduled the way YOU want it to be!

Prologue, where is my problem?

First let’s take a look at the options Microsoft offers us and why I refuse to rely on those. If I’m not completely mistaken the only Policy to choose when to patch Windows Updates has been “Configure Automatic Updates” since ever: Continue reading “Taking back control of Windows Update: Install Updates when you want to!”