Hi guys

I try to configure my DA environment with OTP using Azure MFA

I used the instructions from TechNet about OTP

I have MFA Server as my radius server, I synced the users from Active Directory, I created a new user named DAProbe (didn't see yet how it does something in the authentication progress but... oh well)

the DA clients got the OTP policy successfullyas the DA client tries to connect it gets an "Action Needed" promptI clock on it, press alt-ctrl-delete and choose One Time Password for the second factor authentication

at this stage I'm required to enter my OTP though I don't get any text message (as I configured on my radius)

I enter my active directory password and then I get this message:

now it seems normal, at this stage I also get a text message to the mobile phone with an OTPbut when I enter the OTP I get this message:

The credentials aren't correct. Please try again

I try the process over and over again. it is definitely not the wrong OTP. any ideas?

I think it's odd I need to enter my AD credentials again on the DA connection. maybe there's something wrong with the OTP settings?

I'm not sure what's the proper way to troubleshoot this issue. maybe I should somehow concatenate my password with my OTP on the same password window?

hope to get some help

thanks

A small update

I enabled OTPcredentialProvider log on the client side and when I try the authentication process I see this warning:

Hi,

Your DirectAccess client must create a certificate request. This request will be submited with PIN Code to the DirectAccess Gateway that will sign the request if RADIUS response is OK. At current time, MFA does not seems to be supported with DirectAccess. You can vote for it : http://feedback.azure.com/forums/169401-azure-active-directory/suggestions/5744793-add-multifactor-authentication-mfa-support-for-d.

 It may work with MFA Server installed on-premises, but not sure Microsoft will invest time in it.

Does your DirectAccess Gateway have a certificate with the signature purpose to be used to sign certificates requests submitted by your DirectAccess clients?

So basically my chances are Zero at the moment to get it work with the MFA Server in my environment?

I created 2 certificates for OTP according to the guide in TechNet.

Hi,

For MFA hosted in Microsoft Azure Yes, it's not supported. For On-premise MFA, I haven't tested it yet but it my feeling is that it will be complicated.