OTP Troubleshooting
Introduction
This article discusses basic troubleshooting techniques for resolving issues with the One Time Password (OTP) functionality in SecureAuth IdP.
Applies to
SecureAuth IdP Version | OS Version |
|---|---|
7.x+ |
|
SMS and Voice Delivery Issues
Verify the time, time zone, and date are correct on SecureAuth IdP
When an end-user selects the SMS or Voice option to deliver an OTP code, the request is sent to the cloud environment for fulfillment.
SecureAuth IdP appliances use the Windows Communication Foundation (WCF) protocol to ensure secure communications between the appliance and cloud environment. The underlying technologies used by WCF are sensitive to time discrepancies and will fail if the appliance clock is off by five or more minutes. In real world usage, SecureAuth has seen intermittent issues start with a clock drifting off by three minutes.
If the SecureAuth IdP appliance is not joined to the domain, SecureAuth recommends configuring it to use a reliable (S)NTP server to keep the clock disciplined. To verify the time / date on the appliance and, if necessary, configure NTP, refer to the Microsoft support document Set the Clock.
Verify the Web Proxy Server configuration (if applicable)
If a Web Proxy Server is used for communication to the public Internet, ensure the realm is configured correctly.
Refer to the document pertinent to the SecureAuth IdP version for more information about this topic
SecureAuth IdP Version 9.1+ - Web Proxy Server Configuration Guide (version 9.1+)
Verify URLs for cloud services are configured correctly
1. Select the System Info tab on the realm having OTP delivery issues
2. In the WSE 3.0 / WCF Configuration section, ensure Telephony URL is set to http://us-cloud.secureauth.com/TelephonyService/Telephony.svc.msg
3. Ensure SMS URL is set to http://us-cloud.secureauth.com/SmsService/SMS.svc/msg
 |
Warning
Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes
Verify certificates have not expired
Ensure the impacted realms have current, valid certificates selected for communication with the cloud environment
1. Select the System Info tab on the realm having OTP delivery issues
2. In the WSE 3.0 / WCF Configuration section, click the Select Certificate link beneath Client Cert Serial Nbr
 |
3. Verify the To column date for the selected certificate is not expired
 |
4. If the certificate is expired, contact SecureAuth Support
5. Click Cancel to close the window
Verify the certificate private key is granted proper privileges
A certificate is used to communicate with the SecureAuth IdP cloud environment. If the certificate's private key is not granted appropriate privileges, then a connection to the cloud infrastructure cannot be made. Without this connectivity, the OTP code cannot be delivered to users via SMS or Voice.
Follow SecureAuth IdP Steps and Microsoft Management Console Steps to ensure the certificate is granted appropriate private key privileges
Notice
Sample images from Windows 2012 R2 are used in these steps
1. From Start, type Run
2. In the Run dialog, type mmc and click OK
 |
3. In the MMC snap-in Console window, select File and Add / Remove Snap-in
 |
4. In the Add or Remove Snap-ins dialog, select Certificates and click Add >
 |
5. In the Certificates snap-in wizard, select Computer account and click Next >
 |
6. On the Select Computer page, select Local computer and click Finish
 |
7. Click OK to close the Add or Remove Snap-ins dialog
 |
8. Now that the Certificates directory is added to the MMC console, from the tree view pane select Personal > Certificates
9. Locate localhost in the target pane
 |
10. Right-click localhost and select All Tasks > Manage Private Keys
 |
11. In the Permissions dialog, verify that Network Service permissions are assigned to the private key
Add this permission, if not already assigned
 |
Verify the support license is current
If the organization's support license is not current, the cloud service will reject any connection attempts, for security purposes
If this is suspected to be an issue, contact the SecureAuth account manager (AM) or SecureAuth Support
Email Delivery Issues
Check the SMTP settings on the impacted realm(s) to verify the proper server is being used
Verify SMTP settings
1. Select the Overview tab on the realm having OTP delivery issues
2. In the Advanced Settings section, click Email Settings
 |
3. In the Email Settings section, verify SMTP settings are correct
Make any necessary updates
 |
Warning
If the SMTP server is configured for smtp.merchantsecure.com, then the SecureAuth IdP test SMTP server is in use. This server is not intended to be used in a production deployment and there is NO SLA associated with it. Point the SecureAuth IdP realm to the organization's SMTP server at the earliest possible opportunity.
Notice
In versions of SecureAuth IdP prior to 7.5, a username must be entered in the SMTP Username field even if not required by the SMTP server. If this information is not provided – in the format of an email address (e.g. user@company.com) – SecureAuth IdP will fail to communicate with the remote SMTP server.
Warning
Click Save once the configurations have been completed and before leaving the Overview page to avoid losing changes
Verify firewall settings
SecureAuth IdP uses the standard Simple Mail Transport Protocol (SMTP) to transmit mail. This communication occurs on TCP / 25 and all firewalls between the SecureAuth IdP appliance and the SMTP server must allow this traffic to pass.
On the SecureAuth IdP appliances, Windows Firewall with Advanced Security includes an outbound policy named SecureAuth SMTP for SMTP traffic. For this policy, the SMTP server IP address must be listed in the Remote IP address section.
Notice
Sample images from Windows 2012 R2 are used in these steps
1. From Start, find and click Administrative Tools
 |
2. In the Administrative Tools window, click Windows Firewall with Advanced Security
Note
If the User Account Control dialog appears, confirm that the action it displays is desired, and then click Continue
 |
3. In the Windows Firewall with Advanced Security window, select Outbound Rules in the left pane
 |
4. Find the SecureAuth SMTP policy and double-click it
 |
5. In the SecureAuth SMTP Properties dialog, click the Scope tab
6. In the Remote IP address frame, verify the entry for the SMTP server
If the SMTP server address is missing, proceed to step 7
 |
7. In the Remote IP address frame, click Add
 |
8. In the IP Address dialog, enter the IP address of the SMTP server in This IP address or subnet field
9. Click OK to close the SecureAuth SMTP Properties dialog
 |
Enable SMTP over SSL / TLS (if applicable)
In some cases the SMTP server will require SMTP communication to occur over SSL / TLS
See the technical document Enable SSL/TLS Support for SMTP for further information on how to enable this functionality
OATH Second Factor Issues
Verify the same license certificate is used for all OATH realms
If the SecureAuth998 (provisioning) realm is configured to store the OATH Seed using Advanced Encryption, then all realms using OATH must share the same license certificate
If the same certificate is not used, then the realm will be unable to decrypt the OATH Seed and will fail to authenticate the user
In this scenario, the end-user will normally receive the Registration code does not match error
