A user attempting to authenticate through Microsoft ADFS (Active Directory Federation Services) with the Symantec VIP plug-in failed to receive an SMS credential. The user only has the SMS credentials assigned but was getting the screen to input the VIP access security code. This failure was traced to the VIP Enterprise Gateway being unable to fetch the user details and then lookup the VIP cloud to find the SMS credential associated with the user.

Symptoms

• User attempted ADFS authentication with only registered SMS credential.

• VIP ADFS plug-in sent a lookup request to VIP Enterprise Gateway.

• Enterprise Gateway attempted to fetch user from Active Directory.

• The directory query failed because the AD binding user used by EG user store to connect to the directory was locked.

• As a result, the authentication failed silently.

Product: Symantec VIP
Component: ADFS Integration

When an SMS credential is used, VIP Enterprise Gateway must query the user store (e.g., Active Directory) to retrieve the user details and then lookup the VIP cloud for the registered credentials This query is performed using a binding user account defined in the EG directory configuration.

In this case, the binding user account was locked in Active Directory. As a result, the EG was unable to access user details and in turn lookup the cloud to fetch the SMS credential.

To resolve the issue:

1. Unlock the binding user account in Active Directory.

2. Ensure the binding user account is:

   • Not locked or disabled.

   • Not subject to expired passwords or restrictive login policies.

   • Granted appropriate read permissions to the required OU or user container.

3. Retry the ADFS authentication flow.
   The phone number lookup should now succeed, and the SMS credential should be delivered correctly.