Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Anonymous
Not applicable

Created on ‎06-23-2022 12:59 PM Edited on ‎12-14-2025 11:36 PM By Community Manager

Article Id 215653

Technical Tip: Enable OWA agent 2FA capability when only TLS 1.2 is configured/allowed on server

Description This article describes a workaround when system administrators have to disable TLS 1.0 and TLS 1.1 on the respective server where the OWA agent is installed and leave only TLS 1.2. Disabling TLS 1.1 and TLS 1.0 might cause 2FA to fail for the OWA agent.
Scope FortiAuthenticator, 6.x.x, OWA agent 2.x.
Solution

Error logs in OWA agent logs, one might get, can be matched with this article:

 

[(null)|389|DEBUG] Login: Session sessionstring: Verification of user (testuser) OTP successful: Verification of OTP for user tesstuser  was successful: 200 OK


[(null)|389|DEBUG] Login: Session sessionstring: Submitting user credentials to: https://mail.xyz.abc/owa/auth.owa


 [(null)|389|WARN ] Login: Session sessionstring: 2FA Configuration Error: Server name configured does not match SSL certificate presented.


[(null)|389|DEBUG] Login: Session sessionstring: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

 

To fix the 2FA issue of the OWA agent, these changes need to be tweaked in the Exchange Server installed.

 

  1. Check if the 4.8.Net Framework is installed.
  2. Edit the following registry values.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

 

After this change, the OWA agent should work with only TLS 1.2 enabled, and 2FA will work properly.

 

If the issue persists after applying the above change, review the following:

The external hostname is the address users access to reach OWA, for example, mail.fortinet.com.
To eliminate the SSL error, the Exchange server’s certificate must include mail.fortinet.com either as the Common Name (CN) or in the Subject Alternative Name (SAN) field.

If using a wildcard certificate, it must still cover mail.fortinet.com in the SAN or CN.

When users navigate to mail.fortinet.com, the hostname must match the certificate. Once this match is correct, the SSL error will disappear.

If the certificate does not contain the hostname in the CN or SAN in the certificate, create a new certificate for the Exchange server and include the external hostname in the certificate before applying it.
1736
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.