FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
Sheikh
Staff
Staff
Article Id 226783
Description

This article describes how to resolve OTP verification timed out error in Exchange OWA with FortiAuthenticator agent installed.

Scope FortiAuthenticator 6.4.4, 6.4.5, 6.4.6 and FortiAuthenticator agent 2.4, Microsoft Exchange Server.
Solution

If the following components are installed:

- FortiAuthenticator 6.4.4, 6.4.5 or 6.4.6.

- FortiAuthenticator agent version 2.4 and above on Windows server 2012 R2.

- Microsoft Exchange Server 2016.

 

The following error will be displayed on the browser when accessing the Microsoft OWA page. 

 

'OTP verification timed out. Please contact your network administrator.'

 

Sheikh_2-1665934038980.png

 

In FortiAuthenticator, by default 'Require Strong Cryptography' is enabled under System -Administration -System Access.

 

Sheikh_0-1665933229617.png

 

Workaround:

- Disabling the 'Require Strong cryptography' setting in administrative access on the FortiAuthenticator fixes the problem.

 

Or

 

The FortiAuthenticator OWA agent does not have its own list of ciphers; it relies on the TLS settings of the underlying operating system.

So the base operating system should support one of these Ciphers.

 

FortiAuthenticator supports these Cipher(s):

Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 3072 bits
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 3072 bits
 

Note:

Enabling or disabling 'Require Strong Cryptography' will restart the FortiAuthenticator web server.

 

Contributors