This project has moved and is read-only. For the latest updates, please go here.

Window Validation Time Elapsed

Aug 3 at 6:16 PM
Thanks for this plugin!

I've got most things setup and configured, but keep running into the Window Validation Time Elapsed. My ADFS server and DC are synced to the same NTP server, so I'm not sure what's happening. Any pointers in the right direction would be greatly appreciated!

Exception details:
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationException: user@domain.local : Window validation time elapsed.
at Neos.IdentityServer.MultiFactor.AuthenticationProvider.TryLocking(AuthenticationContext usercontext, IAuthenticationContext context, IProofData proofData, HttpListenerRequest request, Claim[]& claims)
at Neos.IdentityServer.MultiFactor.AuthenticationProvider.TryEndAuthentication(IAuthenticationContext context, IProofData proofData, HttpListenerRequest request, Claim[]& claims)
Aug 7 at 4:06 PM

Thanks for using this component.

When using emails or phone notifications the Delivery Window is managed by the "DeliveryWindows" parameter in the config file. By default it's 300 seconds (5 minutes)
You can manage it with PowerShell (in version 2.0 béta)
PS C:\Users\administrator> $conf = Get-MFAConfig
PS C:\Users\administrator> $conf.DeliveryWindow = 500
PS C:\Users\administrator> Set-MFAConfig -Config $conf
For TOTP codes the DeliveryWindow is always 30 seconds, the is changing (computed) ebery 30 seconds by design
An TOTP code change every 30 seconds, so the user have to quickly submit the code to ADFS, for better user experience this property allow to “remember” and accept the current generated code and the x previous. in this case the user has 1,30 minute max to enter a generated TOTP.
PS C:\Users\administrator> $conf = Get-MFAConfig
PS C:\Users\administrator> $conf.TOTPShadows = 5
PS C:\Users\administrator> Set-MFAConfig -Config $conf
When using TOTP codes with an application (Google Authenticator / Microsoft Authenticator), your device must be correctly synced with your Local Time.
No problem with any time zone.

Aug 8 at 7:57 PM

Thank you for the response.

I am wondering if the timezone is not converting - the msDS-cloudExtensionAttribute14-16 is showing the time already as UTC, however, when this code was generated, it is actually 11:28:12 local time PST (11:28:12-08:00), not 11:28:12Z


In any event, your help is greatly appreciated!
Aug 10 at 9:37 AM

The time verification is always made in UTC.
Notification notif = RepositoryService.CheckNotification((Registration)usercontext, Config);
                    if (notif != null)
                        if (notif.CheckDate.Value.ToUniversalTime() > notif.ValidityDate.ToUniversalTime()) // Always check with Universal Time
                            usercontext.UIMode = ProviderPageMode.Locking;
                            return new AdapterPresentation(this, context, Resources.GetString(ResourcesLocaleKind.Errors, "ErrorValidationTimeWindowElapsed"), ProviderPageMode.DefinitiveError);
Aug 17 at 11:39 PM
Hmm, any ideas as to why I'd be getting this error? (multiple users, different phones using the TOTP component). They are all synced to the same NTP server as the ADFS / DC servers.
Aug 21 at 11:55 AM

Yes, the bug is confirmed when you are using ADDS mode.
We quickly provide an update.

Thanks very much

Marked as answer by redhook on 8/23/2017 at 1:38 AM