This article discusses basic troubleshooting techniques for resolving issues with the One Time Password (OTP) functionality in SecureAuth IdP.
SecureAuth IdP Version
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
SMS and Voice Delivery Issues
Verify the time, time zone, and date are correct on SecureAuth IdP
When an end-user selects the SMS or Voice option to deliver an OTP code, the request is sent to the cloud environment for fulfillment.
SecureAuth IdP appliances use the Windows Communication Foundation (WCF) protocol to ensure secure communications between the appliance and cloud environment. The underlying technologies used by WCF are sensitive to time discrepancies and will fail if the appliance clock is off by five or more minutes. In real world usage, SecureAuth has seen intermittent issues start with a clock drifting off by three minutes.
If the SecureAuth IdP appliance is not joined to the domain, SecureAuth recommends configuring it to use a reliable (S)NTP server to keep the clock disciplined. To verify the time / date on the appliance and, if necessary, configure NTP, refer to the Microsoft support document Set the Clock.
Verify the Web Proxy Server configuration (if applicable)
If a Web Proxy Server is used for communication to the public Internet, ensure the realm is configured correctly.
Refer to the document pertinent to the SecureAuth IdP version for more information about this topic
Verify the certificate private key is granted proper privileges
A certificate is used to communicate with the SecureAuth IdP cloud environment. If the certificate's private key is not granted appropriate privileges, then a connection to the cloud infrastructure cannot be made. Without this connectivity, the OTP code cannot be delivered to users via SMS or Voice.
Follow SecureAuth IdP Steps and Microsoft Management Console Steps to ensure the certificate is granted appropriate private key privileges
1. Select the Overview tab on the realm having OTP delivery issues
2. In the Advanced Settings section, click Email Settings
3. In the Email Settings section, verify SMTP settings are correct
Make any necessary updates
If the SMTP server is configured for smtp.merchantsecure.com, then the SecureAuth IdP test SMTP server is in use. This server is not intended to be used in a production deployment and there is NO SLA associated with it. Point the SecureAuth IdP realm to the organization's SMTP server at the earliest possible opportunity.
In versions of SecureAuth IdP prior to 7.5, a username must be entered in the SMTP Username field even if not required by the SMTP server. If this information is not provided – in the format of an email address (e.g. firstname.lastname@example.org) – SecureAuth IdP will fail to communicate with the remote SMTP server.
Click Save once the configurations have been completed and before leaving the Overview page to avoid losing changes
Verify firewall settings
SecureAuth IdP uses the standard Simple Mail Transport Protocol (SMTP) to transmit mail. This communication occurs on TCP / 25 and all firewalls between the SecureAuth IdP appliance and the SMTP server must allow this traffic to pass.
On the SecureAuth IdP appliances, Windows Firewall with Advanced Security includes an outbound policy named SecureAuth SMTP for SMTP traffic. For this policy, the SMTP server IP address must be listed in the Remote IP address section.