“Back to the future” 1985
Back
in the mid-80s we were all taken back in time with Doc and Marty McFly. We
still idolize the DeLorean and remember that it was all possible because of the
“Flux Capacitor.”
In
SharePoint, things aren’t quite as exciting, but it is possible to accidentally
create a little time travel within the SharePoint settings. Here is how it
could happen.
Your
company is global and has multiple locations and farms setup throughout the world. Because today’s world of
business requires the best security possible, you decide to put in place
PremierPoint Solutions ExCM’s Multi Factor Authentication (MFA) when users are
signing in. The MFA is set up to send an authorization code to the users’ email
or text, so that they can be verified before signing in.
You
have activated the MFA and everything is working as planned in your US Farm,
but the MFA is not working as expected in your UK Farm. The UK users are
receiving the error below.
You
verify that the ExCM MFA UK setup is identical to the US setup. So why are your
users getting this error?
There
are several reasons why this error might appear. If the user requested an
authorization code and entered it incorrectly, it would generate this error, or
if the time allowed to use the code had expired, this error would be generated.
A third and not
so obvious reason would be because the “Default Time Zone” within the Central
Administration Web Application settings is not set to the default setting.
Normally this setting does not get set manually and defaults to the SharePoint
farm time stamp located in the same time zone where the farm’s servers are
located.
However let’s say one farm is located in the US and a second farm is located in the UK. Both farms have users logging in using MFA, but some users are in a US time zone and some users are in a UK time zone. In this case, if both farms are set to a US time zone, then the time stamp applied to the MFA authorization code would be a US time stamp, thus causing the issue where anyone in the UK trying to sign in would appear to have exceeded the time out period allowed to use the authorization code and again receive the “Unable to validate authorization code” error.
However let’s say one farm is located in the US and a second farm is located in the UK. Both farms have users logging in using MFA, but some users are in a US time zone and some users are in a UK time zone. In this case, if both farms are set to a US time zone, then the time stamp applied to the MFA authorization code would be a US time stamp, thus causing the issue where anyone in the UK trying to sign in would appear to have exceeded the time out period allowed to use the authorization code and again receive the “Unable to validate authorization code” error.
Here are the instructions for checking the farm Default Time
Zone settings.
Within
Central Administration, select “Application Management” then “Manage web
applications.”
Next you will select your web application. Then, under the Web Application ribbon, select “General Settings”
No comments:
Post a Comment