When using the Symantec VIP Microsoft Credential Provider (MCP) to secure Windows logins, proper configuration of Timeout and Retry settings is critical. These settings ensure that the Windows login UI remains responsive and provides sufficient time for users to complete out-of-band (OOB) authentication, such as VIP Push notifications, SMS, or Voice codes.

Incorrect settings often result in "Authentication Failed" errors appearing before the user has even received their security code or notification.

Concepts:

1. Timeout

The Timeout value defines how many seconds the Credential Provider (the client) waits for a response from the VIP Enterprise Gateway (the RADIUS server) before a single attempt is considered failed.

2. Retries

The Retries value defines how many times the Credential Provider will attempt to resend the authentication request if the previous attempt timed out.

Special Consideration: Total Wait Time

The total time Windows will wait for a response is calculated as:

Total Time = Timeout × (Retries + 1)

Example: With a 20-second timeout and 3 retries, the total wait time is 80 seconds. This allows ample time for a user to receive a Push notification and tap "Approve."

Note: If your specific version of the Credential Provider does not display a "Retries" field, you should set the Timeout to a minimum of 60 seconds for OOB authentication.

Recommended Configuration Settings

The optimal settings depend on whether you are using standard security codes (OTP) or Out-of-Band (OOB) methods like VIP Push.