When using MFA (Multi Factor Authentication) with ExCM (Extranet Collaboration Manager), you might experience the error message, “Unable to validate authorization code.” There are several reasons why this error might appear. If the user requested an authorization code and entered it incorrectly, it would generate this error, or if the time out allowed to use the code had expired, this error would also be generated.
A third and not so obvious reason would be because the “Default Time Zone” within the Central Administration Web Application settings was not set to the default setting. Normally this is an UNSET setting and defaults to the SharePoint farm time stamp located in the same time zone where the farm’s servers are located, but let’s say one farm is located in the US and a second farm is located in the UK. Both farms have users logging in using MFA, but some users are in a US time zone and some users are in a UK time zone. In this case, if both farms are set to a US time zone, then the time stamp applied to the MFA authorization code would be a US time stamp, thus causing the issue where anyone in the UK trying to sign in would appear to have exceeded the time out period allowed to use the authorization code and again receive the “Unable to validate authorization code” error.
Here are the instructions for checking the farm Default Time Zone settings.
Within Central Administration, select “Application Management” then “Manage web applications."
Next you will select your web application. Then, under the Web Application ribbon, select “General Settings.”
Within the Web Application General Settings you will see the “Default Time Zone” and can verify or change the settings.
As a reminder, if the “Default Time Zone” is UNSET, then it defaults to the SharePoint farm time stamp located in the same time zone where the farm’s servers are located.
©2019 PremierPoint Solutions. All Rights Reserved.