The authentication order when authenticating a user with FortiAuthenticator Agent for Microsoft Windows is:
|Username + OTP||à||FortiAuthenticator|
|Username + Password||à||Windows Domain Login|
This is important when diagnosing issues with the login process.
The OTP validation is the first step in the authentication process. The OTP failed error suggests that the FortiAuthenticator is reachable, but the user does not exist on the FortiAuthenticator. This are a few reasons for this to occur:
|User mistyped username (will be visible in the login GUI and FortiAuthenticator logs)||User must reattempt with correct credentials.|
|User has not been provisioned on the FortiAuthenticator||Contact your FortiAuthenticator administrator.|
The OTP failed error suggests that the FortiAuthenticator is reachable, but is responding with an authentication error, i.e. the incorrect username/OTP combination has been entered. There are several reasons for this to occur:
|User is using a token not assigned to them. Only the token assigned to the user in the FortiAuthenticator database can be used for authentication.||Use the assigned FortiToken.|
|The user is configured in FortiAuthenticator but does not have a FortiToken assigned.||Contact your FortiAuthenticator administrator.|
|The user is using a FortiToken OTP (the digits from the token) that has been used previously to authenticate. This may include on another system, or in a previous failed attempt to log into the current system.||Wait for a new OTP to be generated and retry.|
|Token is out of sync.||Log into the FortiAuthenticator portal to resynchronize token.|
The fact that the logon process has reached the point at which the password is being validated means that the Username and FortiToken OTP has been successfully validated. There are several possible reasons for such an error:
|User has mistyped their password.||
Retry login with the correct AD password. Remember to wait for a new FortiToken OTP otherwise the OTP validation will fail.
User should follow organizational password reset procedure if problems persist.
|The user has been deleted from AD since they were imported into FortiAuthenticator.||
Contact the AD administrator.