search cancel

VIP Failed to Authenticate after Microsoft Exchange upgrade to 2013

book

Article ID: 162351

calendar_today

Updated On:

Products

VIP Integrations

Issue/Introduction

  • User upgraded Microsoft Exchange server 2010 to 2013
  • After upgrade VIP failed to authenticate
  • Procedure in PartnerIntergration_IIS7.PDF page 22 was used to change login.aspx script
  • [symc_iis7_plugin.dll] [Process:8480][ERROR]   : invalid otp token value for user <Domain>\Userid….

Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]********************* Configuration ***********************

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Protected URL ADSF:         

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Protected URL OWA: /owa/auth.owa        

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Protected URL IIS:              

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Protected URL SPS:            

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Radius Server Capacity: 16              

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Radius Request Timeout: 5             

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Radius Request Retries: 3

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Radius Server Port: 1812  

:[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Radius Server OTP Size: 6               

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Radius Client IP: xx.xx.xx.xx        

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Radius Server Names xx.xx.xx.xx

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Radius Server Secret 12    

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]Module Name: symc_iis7_plugin 

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480]****************** End of configuration *******************

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480][INFO]      : RADIUS client initialised...

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480][INFO]                      : IIS version...524293

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480][INFO]      : Register for all server events...

[Tue, 15 Sep 2015 12:47:09GMT] [symc_iis7_plugin.dll] [Process:8480][INFO]                      :VIP EG IIS Generic Plug-in registered successfully...

[Tue, 15 Sep 2015 12:50:08GMT] [symc_iis7_plugin.dll] [Process:8480][ERROR]   : invalid otp token value for user <Domain\Userid

Environment


Cause

  • When the Exchange Server was upgraded from 2010 to 2013 users were not able to login with “invalid otp token value for user <Domain>\Userid” errors.  The client had followed the procedure correctly in the PartnerIntergration_IIS7.PDF guide but still continued to have the login issue.
  • User had to change the “Forms authentication for OWA in Exchange” to just prompt for Username, instead of Domain\Username.

Resolution

  • Exchange server upgraded to 2013
  • Procedure for OWA found in the PartnerIntergration_IIS7.PDF guide page 22 Customize the Log-in Page for Outlook Web App (OWA) for 2013 was followed correctly

Customize the Log-in Page for Outlook Web App (OWA) for 2013

1 Make a back-up of the log-in page (typically logon.aspx). Open this file using any text-editor.

You can locate the logon.aspx page at C:\Program Files\Microsoft\Exchange

Server\V15\FrontEnd\HttpProxy\owa\auth\logon.aspx.

2 To enable two–factor authentication, add the OTP field to the logon.aspx page.

For example, add the following lines after the Password field:

<%--Begin marker for Security Code customization --%>

<div nowrap><label for="otp">Security Code:</label></div>

<div class="txtpad"><input id="OTP" name="OTP" type="password" class="signInInputText"

onfocus="g_fFcs=0"></div>

<%-- End marker for Security Code customization --%>

 

  • The “Forms authentication for OWA in Exchange” login parameters need to be changed after the exchange server was upgraded.
    • You can configure the sign-in prompt for forms-based authentication with the following steps;
    •  Login into Exchange Admin Center and then from the left side menu, click on servers
    • Click on virtual directories
    • From the list of the available virtual directories, click on the owa (Default Web Site) and then click on the edit button
    • The owa virtual directory options page will open, from the left side menu, click on authentication
    • To Set the logon format to username only, select User name only
    • Then select the domain name by clicking on browse... and from the list of available domains, select the domain you want to authenticate your users from then click ok
    • The domain name will be selected, click save to set the forms-based authentication format option to be username only.
    • You must restart IIS to apply the changes
    • After IIS is restarted, the next time you try to logon, you will be presented with the username only logon format as shown below

Attachments

PartnerIntegration_IIS7.pdf get_app