Documentation

 

 

Introduction

This article discusses basic troubleshooting techniques for resolving issues with the One Time Password (OTP) functionality in SecureAuth IdP.

Applies to
SecureAuth IdP VersionOS Version
7.x+
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
SMS and Voice Delivery Issues
Verify the time, time zone, and date are correct on SecureAuth IdP

When an end-user selects the SMS or Voice option to deliver an OTP code, the request is sent to the cloud environment for fulfillment.

SecureAuth IdP appliances use the Windows Communication Foundation (WCF) protocol to ensure secure communications between the appliance and cloud environment. The underlying technologies used by WCF are sensitive to time discrepancies and will fail if the appliance clock is off by five or more minutes. In real world usage, SecureAuth has seen intermittent issues start with a clock drifting off by three minutes.

If the SecureAuth IdP appliance is not joined to the domain, SecureAuth recommends configuring it to use a reliable (S)NTP server to keep the clock disciplined. To verify the time / date on the appliance and, if necessary, configure NTP, refer to the Microsoft support document Set the Clock

Verify the Web Proxy Server configuration (if applicable)

If a Web Proxy Server is used for communication to the public Internet, ensure the realm is configured correctly.

Refer to the document pertinent to the SecureAuth IdP version for more information about this topic

Verify URLs for cloud services are configured correctly
SecureAuth IdP Steps
System Info

 

1. Select the System Info tab on the realm having OTP delivery issues

2. In the WSE 3.0 / WCF Configuration section, ensure Telephony URL is set to http://us-cloud.secureauth.com/TelephonyService/Telephony.svc.msg

3. Ensure SMS URL is set to http://us-cloud.secureauth.com/SmsService/SMS.svc/msg

Click Save once the configurations have been completed and before leaving the System Info page to avoid losing changes

Verify certificates have not expired

Ensure the impacted realms have current, valid certificates selected for communication with the cloud environment

SecureAuth IdP Steps
System Info

 

1. Select the System Info tab on the realm having OTP delivery issues

2. In the WSE 3.0 / WCF Configuration section, click the Select Certificate link beneath Client Cert Serial Nbr

Select Certificate

 

3. Verify the To column date for the selected certificate is not expired

4. If the certificate is expired, contact SecureAuth Support

5. Click Cancel to close the window

Verify the certificate private key is granted proper privileges

A certificate is used to communicate with the SecureAuth IdP cloud environment. If the certificate's private key is not granted appropriate privileges, then a connection to the cloud infrastructure cannot be made. Without this connectivity, the OTP code cannot be delivered to users via SMS or Voice.

Follow SecureAuth IdP Steps and Microsoft Management Console Steps to ensure the certificate is granted appropriate private key privileges

Part 1: SecureAuth IdP Steps
System Info

 

1. Select the System Info tab on the realm having OTP delivery issues

2. In the WSE 3.0 / WCF Configuration section, click the Select Certificate link beneath Client Cert Serial Nbr

Select Certificate

 

3. Make note of details for the selected certificate

4. Click Cancel to close the window

Part 2: Microsoft Management Console Steps
Microsoft Management Console Steps

Sample images from Windows 2012 R2 are used in these steps 

 

1. From Start, type Run

2. In the Run dialog, type mmc and click OK

 

3. In the MMC snap-in Console window, select File and Add / Remove Snap-in

 

4. In the Add or Remove Snap-ins dialog, select Certificates and click Add >

 

5. In the Certificates snap-in wizard, select Computer account and click Next >

 

6. On the Select Computer page, select Local computer and click Finish

 

7. Click OK to close the Add or Remove Snap-ins dialog

 

8. Now that the Certificates directory is added to the MMC console, from the tree view pane select Personal > Certificates

9. Locate localhost in the target pane

 

10. Right-click localhost and select All Tasks > Manage Private Keys

 

11. In the Permissions dialog, verify that Network Service permissions are assigned to the private key

Add this permission, if not already assigned

Verify the support license is current

If the organization's support license is not current, the cloud service will reject any connection attempts, for security purposes

If this is suspected to be an issue, contact the SecureAuth account manager (AM) or SecureAuth Support

Email Delivery Issues

Check the SMTP settings on the impacted realm(s) to verify the proper server is being used

Verify SMTP settings
SecureAuth IdP Steps
Overview


1. Select the Overview tab on the realm having OTP delivery issues

2. In the Advanced Settings section, click Email Settings

Email Settings

 

3. In the Email Settings section, verify SMTP settings are correct

Make any necessary updates

If the SMTP server is configured for smtp.merchantsecure.com, then the SecureAuth IdP test SMTP server is in use. This server is not intended to be used in a production deployment and there is NO SLA associated with it. Point the SecureAuth IdP realm to the organization's SMTP server at the earliest possible opportunity.

In versions of SecureAuth IdP prior to 7.5, a username must be entered in the SMTP Username field even if not required by the SMTP server. If this information is not provided – in the format of an email address (e.g. user@company.com) – SecureAuth IdP will fail to communicate with the remote SMTP server.

Click Save once the configurations have been completed and before leaving the Overview page to avoid losing changes

Verify firewall settings

SecureAuth IdP uses the standard Simple Mail Transport Protocol (SMTP) to transmit mail. This communication occurs on TCP / 25 and all firewalls between the SecureAuth IdP appliance and the SMTP server must allow this traffic to pass.

On the SecureAuth IdP appliances, Windows Firewall with Advanced Security includes an outbound policy named SecureAuth SMTP for SMTP traffic. For this policy, the SMTP server IP address must be listed in the Remote IP address section.

Windows Firewall with Advanced Security Steps

Sample images from Windows 2012 R2 are used in these steps 

 

1. From Start, find and click Administrative Tools

 

2. In the Administrative Tools window, click Windows Firewall with Advanced Security

If the User Account Control dialog appears, confirm that the action it displays is desired, and then click Continue  

 

3. In the Windows Firewall with Advanced Security window, select Outbound Rules in the left pane

 

4. Find the SecureAuth SMTP policy and double-click it

 

5. In the SecureAuth SMTP Properties dialog, click the Scope tab

6. In the Remote IP address frame, verify the entry for the SMTP server

If the SMTP server address is missing, proceed to step 7

 

7. In the Remote IP address frame, click Add

 

8. In the IP Address dialog, enter the IP address of the SMTP server in This IP address or subnet field

9. Click OK to close the SecureAuth SMTP Properties dialog

Enable SMTP over SSL / TLS (if applicable)

In some cases the SMTP server will require SMTP communication to occur over SSL / TLS

See the technical document Enable SSL/TLS Support for SMTP for further information on how to enable this functionality

OATH Second Factor Issues
Verify the same license certificate is used for all OATH realms

If the SecureAuth998 (provisioning) realm is configured to store the OATH Seed using Advanced Encryption, then all realms using OATH must share the same license certificate

If the same certificate is not used, then the realm will be unable to decrypt the OATH Seed and will fail to authenticate the user

In this scenario, the end-user will normally receive the Registration code does not match error

SecureAuth IdP Steps
System Info

 

1. On the Web Admin, select the SecureAuth998 realm

2. Select the System Info tab

3. In the License Info section, click Select Certificate

Select Certificate

 

4. Take note of the selected certificate and ensure it is used on all realms for which OATH is provided as a second factor option