Question:

I am trying to configure the NPS extension for Azure/Entra ID MFA in a GCC tenant, but I keep getting an ESTS_TOKEN_ERROR when I attempt to authenticate. The error message says that the tenant request is being redirected to the National Cloud MicrosoftOnline.COM. I have followed the Microsoft guides and re-run the configuration script, but the error persists. I have also run the troubleshooter script and found that the certificate is not properly installed in the cloud. All the certificates I have generated have the same key and no thumbprint. How can I resolve this certificate issue and enable MFA for my NPS server? I have also tried to specify the AzureEnvironment parameter in the AzureMfaNpsExtnConfigSetup.ps1 script as instructed for Government users, but it did not make any difference. My scenario is to use MFA for an Always-On VPN group of computers.

Answer:

How to fix the ESTS_TOKEN_ERROR when using the NPS extension for Azure/Entra ID MFA in a GCC tenant

If you are trying to use the Network Policy Server (NPS) extension for Azure/Entra ID multifactor authentication (MFA) in a Government Community Cloud (GCC) tenant, you might encounter an error like this:

“`

ESTS_TOKEN_ERROR Msg:: Unable to get Azure AD access token. [Reason:AADSTS90038: Tenant ‘ID’ request is being redirected to the National Cloud ‘MicrosoftOnline.COM’

“`

This error indicates that the NPS extension is not able to obtain an access token from Azure Active Directory (Azure AD) because the tenant is located in a different cloud environment than the default one. To fix this error, you need to make sure that the NPS extension is configured correctly for your cloud environment and that the certificate used by the extension is valid and matches the one registered in Azure AD.

The NPS extension supports different cloud environments, such as Azure for US Government or Azure operated by 21Vianet. To configure the NPS extension for your cloud environment, you need to edit the AzureMfaNpsExtnConfigSetup.ps1 script that you used to install the extension and add the AzureEnvironment parameter with the appropriate value. For example, if you are using Azure for US Government, you need to add `-AzureEnvironment USGovernment` to the script.

You can find the AzureMfaNpsExtnConfigSetup.ps1 script in the installation folder of the NPS extension, which is typically `C:\Program Files\Microsoft\AzureMfa\Config`. You can also download the latest version of the script from [here].

After you edit the script, you need to run it again with your Azure AD admin credentials and the tenant ID that you copied during the installation. This will update the configuration of the NPS extension and restart the NPS service.

Verify the certificate used by the NPS extension

The NPS extension uses a certificate to authenticate with Azure AD and obtain an access token. The certificate is generated by the AzureMfaNpsExtnConfigSetup.ps1 script and stored in the local machine store of the NPS server. The public key of the certificate is also associated with the service principal of the NPS extension in Azure AD.

To verify that the certificate used by the NPS extension is valid and matches the one registered in Azure AD, you can use the troubleshooter script that is included in the installation folder of the NPS extension. The script is called MFA_NPS_Troubleshooter.ps1 and you can also download it from [here].

The troubleshooter script performs several checks and generates a report in HTML format. The report shows the status of each check and provides recommendations for fixing any issues. One of the checks is to verify that there is a matched certificate with Azure MFA. If this check fails, it means that the certificate used by the NPS extension is either expired, revoked, or does not match the one registered in Azure AD.

To fix this issue, you need to generate a new certificate and associate it with the service principal of the NPS extension in Azure AD. You can do this by running the AzureMfaNpsExtnConfigSetup.ps1 script again with the `-NewCertificate` parameter. This will create a new self-signed certificate, store it in the local machine store, grant access to the network user, and update the service principal in Azure AD. You can also use your own certificates, but you need to make sure that the public key of your certificate is associated with the service principal in Azure AD.

After you generate a new certificate, you need to restart the NPS service and run the troubleshooter script again to verify that the certificate issue is resolved.

Conclusion

In this article, we have explained how to fix the ESTS_TOKEN_ERROR when using the NPS extension for Azure/Entra ID MFA in a GCC tenant. The error is caused by the mismatch between the cloud environment of the tenant and the configuration of the NPS extension. To fix the error, you need to configure the NPS extension for your cloud environment and verify the certificate used by the extension. We hope this article helps you to enable MFA for your NPS server and secure your Always-On VPN group of computers.