Azure Multi-Factor Authentication Server log in Failures

Question

I have installed an Azure MFA on our network to provide two form Id for our VPN. We are using the Azure MFA pay as you go option where users are added and charged as we add them to the server.

I have import the users from AD. Ninety percent of the users imported work file. I have both enabled an not enabled users listed on the server.

When I run a test from within the MFA server the authentication process works. The server will call the number I have listed and when I press the # key to accept the system returns that that use authenticated ok.

The ones I am have problems with will authenticate with I use the test button on MFA server, but when I try to use the same user to login to the VPN I get this error

Pfauth failed for user 'CN=test@xxxx.com,CN=Users,DC=xxxx,DC=com' (distinguishedName format) from xxx.xxx.xxx.xxx. Call status: SKIPPED_NO_USER - "Couldn't match supplied username to a defined user".

Other users have no problem logging in.

I have tried to re-import the user, recreate the use manual in the MFA server nothing changes the results.

It looks to me that the error is that the MFA server does not recognize the server. Has anyone seen this problem or can direct me to thing to check.

Answer 1

It looks like you are either securing the VPN using LDAP, or are using RADIUS but doing the primary authentication using LDAP bind. After primary authentication is performed, the MFA Server needs to find the user in its data store to look up the phone number and auth method configured. It either uses Windows SIDs or LDAP unique identifiers to do that lookup. Take a look at Company Settings-->Username Resolution in the MFA Server. It is set to use Windows SIDs by default. Try changing that to use LDAP unique identifiers.