ethomollari
Staff
Staff
Description This article describes a workaround when system administrators have to disable TLS1.0 and TLS 1.1 on the respective server where the OWA agent is installed and leave only TLS 1.2. Disabling TLS 1.1 and TLS 1.0 might cause 2FA to fail for the OWA agent.
Scope FortiAuthenticator, 6.x.x, OWA agent 2.x.
Solution

Error logs in OWA agent logs one might get can be matched with this article:

 

[(null)|389|DEBUG] Login: Session sessionstring: Verification of user (testuser) OTP successful: Verification of OTP for user tesstuser  was successful: 200 OK


[(null)|389|DEBUG] Login: Session sessionstring: Submitting user credentials to: https://mail.xyz.abc/owa/auth.owa


 [(null)|389|WARN ] Login: Session sessionstring: 2FA Configuration Error: Server name configured does not match SSL certificate presented.


[(null)|389|DEBUG] Login: Session sessionstring:
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

 

To fix the 2FA issue of the OWA agent, these changes need to be tweaked in the exchange server installed.

 

1) Check if the 4.8.Net framework is installed.

 

2) Edit the following registry values.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001

 

After this change, the OWA agent should work with only TLS 1.2 enabled and also 2FA will work properly.