General Support
      Back to home
      1. Knowledge Base
      2. General Support

      Things to consider when the SPAS(MFA) Server is offline in an on-premises installation

      If you have an on-premises server and it is offline, here are things to consider with regard to continuation of logins for Windows and Linux systems

      • Offline tokens for WLM logins for the last logged in user of a Windows machine where the user previously signed in successfully online will work up to the OTP Window size defined for the token in the SPAS (default of 30; max of about 180 in the UI)
      • Bypass code, if present on the machine, can be used in place of the OTP/Passcode as needed if the end user is made aware of it
      • Bypass codes can be different on different machines, i.e. servers could be set up with one code while laptops have another, etc.
      • Bypass codes have to be generated by the WLM config tool and then saved to the registry
      • Once the bypass code is in the registry, the value can be copied from there and put into a .reg file or in a GPO to be distributed to other systems
      • Bypass codes should be changed if end users are given the codes and no longer need to use them after the return to service of the SPAS(MFA) server
      • Time based tokens cannot be used offline
      • Linux PAM offline is available with the most recent Linux PAM
      • Offline RADIUS/LDAP/SAML2 is not currently possible
      • Offline FIDO2 is not yet implemented
      • You can delete the credential provider filter in the registry of a Windows machine to disable the MFA requirement, and this can be done via a GPO
      • Counters on event-based tokens will be ahead of the counter info for the tokens in the backed-up copy of the DB so there may be a need to resync event-based tokens after return to service for those tokens used heavily while offline
      • Time-based tokens will function as expected after return to service