Error: "Failed to verify incoming OTP" When Configuring OTP on NetScaler

Error: "Failed to verify incoming OTP" When Configuring OTP on NetScaler

book

Article ID: CTX231826

calendar_today

Updated On:

Description

Configuring NetScaler version 12 OTP ended up with error "Failed to verify incoming OTP"

User-added image

Scenario TWO:  Users belonging to large Active Directory group are unable to register successfully for Native OTP functionality.

Resolution

Time difference between client and NetScaler. Recommended user to move to a more reliable NTP server and it works. 

Scenario TWO:
Working setup for OTP users belonged to at least  55 groups 
In the Not working OTP users belong to more than  117 groups 
Customer reduced the number of groups on the non-working setup to 51 after which this user was able to successfully register 

Workaround:
There are 2 available.Apply any one:
a. Set the "Group Attribute"-Field in the LDAP Server for the OTP AAA Server from "memberOf" to  "userParameters"
b. Disable group extraction 

Better workaround is unsetting groupAttribute in OTP Action. GUI seems to have an issue with unsetting groupAttr. Please do it from CLI or confirm from CLI.

Problem Cause

NTP/Time mismatch between the client and the NetScaler.

Scenario TWO: A known bug (703995) exist which is getting fixed in 12.0-58+GA build 

Issue/Introduction

Configuring NetScaler version 12 OTP ended up with error "Failed to verify incoming OTP"

Additional Information

Syslog:

User-added image

Console Output in local timezone:

User-added image

Powered by Wolken Software