Microsoft Credential Provider (MCP) has been integrated with VIP EG 9.x, and after successful installation and validation server configurations, the following error occurs after entering Security Code as part of the two-factor authentication:

The username or password or security code is incorrect

However, using the vsradiusclient_test utility, the validation produces an ACCEPT result using a security code generated from the same credential. Both the user and the credential exist in VIP Manager and are enabled. The camouflage tool was used initially to encrypt the shared secret, and also plain text format. Both failed with the same error message.

VIP Enterprise Gateway

The EG server log shows the following entry:

ERROR    "2013-08-01 15:04:56.307 GMT-0400"  172.31.1.20 ValidationEngine 0 18501 "text=[VSWebServiceClient] The input OTP does not meet policy requirements, OTP length = 16, user=######, bizCont=off" Thread-5180 VSValidationEngine.c

Root cause

1. Using the camouflage tool to encrypt the shared secret is mandatory as MCP will not accept plain text passwords.
2. Make sure to use the same shared secret password used with the MCP RADIUS validation server that is used with the camouflage tool.  The camouflage tool can be run from any platform to encrypt the shared secret as long as you use the correct version from the Tools directories.
3. The reason for "OTP length = 16" from the log entry is that if the shared secret between the client and the server is different, then the OTP decrypted at RADIUS server will lead to OTP whose length is more than 16 characters. Therefore, it's very important to make sure that the shared secret is the same on both client and server.

Ensure that the correct password is used with the camouflage tool.