Common things to check if your OATH tokens (Google Authenticator) are not working.
When you are first setting up AuthLite and having trouble with your OATH tokens:
- When provisioning a token, set the interval to 30 for Google Authenticator. You cannot make the token act differently by choosing a different number than 30, that's not what it does. You will just make AuthLite mistakenly believe the token is running at a 60 second interval and all your OTPs will be wrong.
- Check the TIME is correct on all DCs and your phone or tablet.
- If you are using Google Authenticator on Android, go into Settings -> Time Correction for Codes -> Sync now.
- Check that the time ZONE is set properly on the DCs (it is not enough that the clock looks right, it must know its proper offset to GMT).
- Make sure "OATH digits" are set to "6" in the AuthLite Configuration app under the section "Token Settings". The default is "0" which means do not use OATH tokens. You cannot make your soft tokens use a different number of digits by changing this value, that's not what it does. You will just make AuthLite mistakenly believe the tokens use 8 digits when they do not.
If your old OATH token used to work, but then stopped working:
- The time probably drifted very slowly away from reality on your servers, and then was recently re-synchronized with reality. As they drifted, the DCs did not know it was their fault. They assumed the drift was because you are using tokens with poor clocks, so they kept track of the delta over time. But then after the time fix on the servers, they now acts as if the tokens (who were right all along) have all suddenly reversed their accumulated drift. So the DCs can't understand them any longer. Make sure your servers' time is correct, and run ResetDrift.ps1
If your old OATH tokens work fine but new ones will not work:
- The time has gradually drifted away from reality on your servers and is now out of sync. The DCs didn't know they were drifting. They assumed the drift was because you are using tokens with poor clocks, so they kept kept track of the delta over time. So your old tokens still work fine since the DCs are compensating for their own incorrectness (unknowingly). The new tokens have an initial drift value of zero, and so the DCs cannot understand them. Fix the time on your servers, then run ResetDrift.ps1