VPN Connection error 812 when setting up RADIUS for Azure Multi Factor Authentication

I set up a clean Windows Server 2012 R2 machine as a Domain Controller with a fixed IP on my network.  I used this checklist to configure my VPN: http://www.thomasmaurer.ch/2014/01/how-to-install-vpn-on-windows-server-2012-r2/.  Testing the VPN connection using Windows Domain I had no issues.

Then I installed Azure Multi Factor authentication, and set up my RADIUS configuration using the following checklist: https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-get-started-server-radius/. On my server, I opened Routing and Remote Access and set the Security authentication provider as "RADIUS" and configured accordingly.

Now, when I try to VPN to my server, I get an error 812 "812: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.". I've tried numerous checklists online and could not find a solution.  The event viewer doesn't provide much information either besides giving me the name of the user attempting to connect.

On the connecting client, under VPN properties, Security, I tried setting "allow these protocols" and "MS Chap v2".  I also tried selecting PPTP as the VPN type rather than automatic. Still the same issue occurs.

I appreciate your help.
FDC2005Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
May want to check out this on top of the Azure reference as there seems to be a registry to be set and use of sstp instead
The issue seems to be with PEAP/EAP/MS-CHAP-v2 authentication.  I was able to get SSTP/MS-CHAP-v2 without PEAP/EAP working with Azure MFA.

RRAS RADIUS --> Azure MFA RADIUS client, Azure MFA RADIUS Target --> NPS RADIUS

VPN client must use this registry setting to extend authentication time, otherwise you'll be fighting to answer the Azure MFA call before the VPN client times out

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP:MaxConifgure=10

Change this to 30, as suggested here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/577ed20c-ba0f-442a-9d12-45438e3757db/phonefactor-with-rraswindows-server-2003-vpn-client-timeout-after-20-seconds-too-fast?forum=winserverNAP

Also be sure to change RADIUS timeouts in RRAS to at least 30-45 seconds or you'll be hit with an unhelpful error.
https://social.msdn.microsoft.com/Forums/sqlserver/en-US/7ea7e6bb-52f8-4549-bea1-3662b4046ee2/rras-sstp-vpn-with-radius-and-multifactor-authentication?forum=windowsazureactiveauthentication

Further, there is need for computer cert installed in VPN client machine
On the remote VPN client:
Install the root CA certificate for the CA that issued the server authentication certificate into the store Local Computer\Trusted Root Certification Authorities. This is required for the client to trust the server authentication certificate presented by the server.

If the client will need to use IKEv2 VPN connections to the server, then a client authentication certificate that was issued by the CA must be installed in the store Local Computer\Personal.
https://technet.microsoft.com/en-us/library/dd458982.aspx
FDC2005Author Commented:
Apologies for the delay in responding... we eventually figured it out. MFA does not work if installed on the domain controller box in Windows Server 2012 R2. We talked to Microsoft about it and they were unable to get it to work when MFA is running on the domain controller (even though they agreed that there is no documentation saying it cannot be installed on the domain controller). We previously had this exact setup working, but it was Windows Server 2003 and MFA (on same box). But now that we "upgraded" to Windows Server 2012R2 we found we must have a separate box to run MFA.

Regards,
-Frank.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Thanks for sharing. Apparently this is not new in the MS forum as well whrn setting up VPN having to get MFA and being a DC at the same time failed. It needs to be separated. No official MS documentation..but seems like it is more than what the public should know that is hampering this undocumented issues.

https://social.msdn.microsoft.com/Forums/vstudio/en-US/ed6fc7be-5fb6-4314-957e-44827cc53895/windows-server-2012-r2-vpnrras-mfa-fails-with-error-812-does-mfa-require-its-own-host?forum=windowsazureactiveauthentication
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

btanExec ConsultantCommented:
I hope the last post helps to give a headups to the community. Thks
FDC2005Author Commented:
For more information, see our posting on Microsoft: "Windows Server 2012 R2 + VPN(RRAS) + MFA fails with Error 812. Does MFA require its own host?"
btanExec ConsultantCommented:
thanks for sharing - I believe you meant my last post link. Hope it has assisted.
Problem: On Windows Server 2012 R2 promoted to domain controller, using VPN (RRAS) configured for Azura MultiFactor Authentication (MFA) as a RADIUS server, VPN connection attempts fail immediately with Error 812. If we configure RRAS to use the domain rather than MFA, VPN connection attempts succeed. We can use NTRadPing to talk to the MFA RADIUS server, so we know it is alive and working. But as soon as we point RRAS at MFA, VPN connection attempts fail with Error 812. There are no MFA log entries when this occurs, it looks like RRAS never even attempts to talk with MFA.

 Workaround: Move MFA to its own host, e.g. a VM running Windows 7. Once we did this, VPN connection attempt authenticate via MFA and life is good.
https://social.msdn.microsoft.com/Forums/vstudio/en-US/ed6fc7be-5fb6-4314-957e-44827cc53895/windows-server-2012-r2-vpnrras-mfa-fails-with-error-812-does-mfa-require-its-own-host?forum=windowsazureactiveauthentication
FDC2005Author Commented:
Yes - sorry - I didn't realize you were pointing to the same post when I made my link. That was my writeup on the Microsoft website of the workaround we found.

thanks!
-Frank.
btanExec ConsultantCommented:
Noted so I have thought my last post can ne highlighted as assisted instead : )
FDC2005Author Commented:
Yes - certainly - thank you!
-Frank.
btanExec ConsultantCommented:
Thanks Frank :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.