Export (0) Print
Expand All

Supporting the Two-factor Authentication Environment

 

Topic Last Modified: 2013-06-25

Issues related to two-factor authentication generally are either user errors or server errors. Your service desk or IT pros are expected to identify the source of a two-factor authentication issue, troubleshoot the issue to their level of responsibility, and escalate specific issues to the attention of Microsoft support as appropriate. Troubleshooting guidance and a summary of support roles and responsibilities are included in this section.

In addition, support guidance is provided for the following issues:

NoteNote:
Microsoft support is unable to reset the password or PIN associated with a user account. Any issue that requires a change to an individual user account, the account’s password, or the PIN for the account must be addressed by your internal IT service desk.

The following table provides an overview of support roles and responsibilities involving your organization (customer) and Microsoft.

 

Task Customer Microsoft

Account maintenance

Yes

No

Customer two-factor authentication server issue

Yes

No

End user network connectivity issue

Yes

No

Entitlement

Yes

No

Password reset

Yes

No

User education

Yes

No

User error

Yes

No

Two-factor authentication portal configuration

No

Yes

Two-factor authentication portal network connectivity issues

No

Yes

Two-factor authentication portal server configuration issue

No

Yes

This section describes scenarios where the user attempts to browse to the two-factor authentication website (portal) and receives an error.

de2e8209-feb7-4de0-a0b7-d9634af8f6bf

If a user navigates to the wrong website, a multitude of errors may appear. The user may receive an error message stating the Internet Explorer cannot display the webpage.

Resolution. Evaluate the address the user has typed and, if incorrect, provide correct URL.

If a user attempts to access a site on the two-factor authentication server other than the default logon site, they may see a “You have attempted to access a restricted URL” error message.

Resolution. A restricted URL error means the user can in fact access the two-factor authentication portal but an incorrect URL was used. Suggested troubleshooting steps are the following:

  • Ensure that the user is typing in the correct URL. Verify “https” is being used.

  • Determine if the issue occurs from multiple network locations. For example, identify if connectivity is possible from a home environment and not a public location. If the connectivity experience varies, a network firewall rule probably is preventing the client machine from reaching the two-factor authentication server.

  • Determine if the user experiences the same problem using another machine. If false, the user’s MAC address on their initial machine may be blocked by the network being used.

  • If the access issue persists, escalate the issue to Microsoft support.

A user may receive an error message stating they have exceeded the maximum number of logon attempts.

6625aa10-b8fe-4b2f-b88d-198ee3f66874

In this event, the issue is likely due to the end user entering incorrect domain credentials, in correct password and passcode (RSA SecureID) or one time code (Secure Swivel PINsafe), use an incorrect PIN, or a combination of any of these incorrect entries. Users are allowed three (3) attempts to log on successfully through the two-factor authentication service. After this maximum number of attempts is reached, the user’s account will appear to be locked in the browser.

Resolution. If the Outlook Web App logon screen displays the “User validation error” message, the two-factor authentication webpage will block any subsequent logons in the current browser session. The user must close all instances of their browser, restart the browser, and attempt to log on again. If the user is still unable to log on, reset the user’s Active Directory account and/or their two-factor authentication account data.

A network connectivity failure between the two-factor authentication portal and either (a) the authentication server of your provided two-factor authentication solution (b) the Active Directory domain controller of Office 365, or (c) the Client Access server of Exchange Online will result in users being unable to utilize Outlook Web App. Scenarios (a) and (b) are illustrated in the diagrams that follow.

The user enters the correct password and passcode (RSA SecureID) or one time code (Secure Swivel PINsafe) but receives an “Authentication Failed” message from Outlook Web App.

db74c9e1-f964-449c-b376-bd3082e43b33

The likely cause is incorrect authentication information or connectivity between the two-factor authentication portal and either the two-factor authentication server or …

cfc584f4-4ff3-4403-9479-c68a55d6aa5b

… the incorrect authentication information or connectivity between the two-factor authentication portal and the Active Directory domain controller.

dffc52be-ce88-4604-abee-03ccf8b23841

Resolution. Here are three possible solutions:

  • Verify that Outlook Web App is accessible from within the corporate network. If Outlook Web App is accessible, either have the use confirm their credential information or reset the user’s account.

  • If issue is unresolved, use a test account to attempt two-factor authentication access and/or ask other users to attempt access.

  • If the problem continues to persist, either connectivity between the two-factor authentication portal and the two-factor authentication authentication server or connectivity between the two-factor authentication portal and your organization's domain controller may be the cause. Escalate the issue to Microsoft support.

A network connectivity failure between the two-factor authentication portal and the Client Access server will result in users being able to enter credentials and authenticate but the Outlook Web App mailbox view will not render or display.

c19c815b-7da1-4d26-94f2-5b2e20a9a36d

If the Client Access server is not online or not functioning properly, the logon page will freeze for several seconds. Various Internet Information Services (IIS) errors will appear. The following is an example of a common error message:

22995930-6712-4d6b-8b69-a45442276ddd

Resolution. Your organization's service desk or IT pro staff should attempt to access Outlook Web App from the internal corporate network. If an IIS error appears, escalate the issue to Microsoft support and provide a troubleshooting summary. If access to Outlook Web App is successful, Outlook Web App is assumed to be healthy and connectivity between the two-factor authentication server and Outlook Web App server may be the problem. Also escalate this issue to Microsoft support and provide a troubleshooting summary.

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft