Thursday, September 27, 2018

“Default Time Zone” is the “Flux capacitor” of SharePoint!

“Back to the future” 1985

Back in the mid-80s we were all taken back in time with Doc and Marty McFly. We still idolize the DeLorean and remember that it was all possible because of the “Flux Capacitor.”

In SharePoint, things aren’t quite as exciting, but it is possible to accidentally create a little time travel within the SharePoint settings. Here is how it could happen.

Your company is global and has multiple locations and farms setup throughout the world. Because today’s world of business requires the best security possible, you decide to put in place PremierPoint Solutions ExCM’s Multi Factor Authentication (MFA) when users are signing in. The MFA is set up to send an authorization code to the users’ email or text, so that they can be verified before signing in.

You have activated the MFA and everything is working as planned in your US Farm, but the MFA is not working as expected in your UK Farm. The UK users are receiving the error below.

You verify that the ExCM MFA UK setup is identical to the US setup. So why are your users getting this error?

There are several reasons why this error might appear. If the user requested an authorization code and entered it incorrectly, it would generate this error, or if the time allowed to use the code had expired, this error would be generated.

A third and not so obvious reason would be because the “Default Time Zone” within the Central Administration Web Application settings is not set to the default setting. Normally this setting does not get set manually and defaults to the SharePoint farm time stamp located in the same time zone where the farm’s servers are located. 

However let’s say one farm is located in the US and a second farm is located in the UK. Both farms have users logging in using MFA, but some users are in a US time zone and some users are in a UK time zone. In this case, if both farms are set to a US time zone, then the time stamp applied to the MFA authorization code would be a US time stamp, thus causing the issue where anyone in the UK trying to sign in would appear to have exceeded the time out period allowed to use the authorization code and again receive the “Unable to validate authorization code” error.

Here are the instructions for checking the farm Default Time
Zone settings.

Within Central Administration, select “Application Management” then “Manage web applications.”  

Next you will select your web application. Then, under the Web Application ribbon, select “General Settings”

Within the Web Application General Settings you will see the “Default Time Zone” and can verify or change the settings.

As a reminder, if the “Default Time Zone” is UNSET, then it is defaulted to the SharePoint farm time stamp located in the same time zone where the farm’s servers are located.

No comments: