Versions Affected: All
Description: Your users are not able to use TOTP or KBQ/KBA as a Two-Factor Authentication method if they login from a different SecureAuth server and you see this message in the Audit Logs.
Cause: There are multiple reasons for this, and one of the more common reasons is because there is a mismatch in the License Info certificate that is selected among your servers. This certificate is used to encrypt and decrypt the attributes associated with your Active Directory for your Service Account. If server A is using certificate A to encrypt and decrypt the values in your Active Directory, then if server B is using certificate B on another server, then server B will not be able to decrypt the values because it is using certificate B.
Resolution: Export the certificate that is used from the working server and import it to the server that is not able to authenticate. Once you import the certificate, add the proper permissions to this new certificate by going into the certificate console. Make sure to add SecureAuth0Pool if you are on IdP version 9.0.2.
Select the new certificate in the License Info section, then retype your Service Account password on your data tab. Use the test connection button to make sure that the Service Account password is correct and your users should be able to log in the realm now.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.