Assume that you have HTTP Redirection, URL Rewrite, or an equivalent setting configured for the Internet Information Services (IIS) Web Server. When you try to use One Time Passcode to log in through Multi-Factor Authentication, you receive the following error message:
Incorrect one-time passcode.
The issue may occur if you configured IIS with an HTTP Redirection rule to forward traffic to Multi-Factor Authentication User Portal. When the browser navigates to one_time_passcode.aspx, additional requests can be made to obtain favicon.ico. When IIS redirects those requests to the Login.aspx page, the session is cleared, and the One Time Passcode automatically expires. Therefore, when you enter the One Time Passcode, the server rejects the entry and returns the “Incorrect one-time passcode” error.
Redirect configuration must exclude files such as favicon.ico that occur during the One Time Passcode process. There are many ways to configure HTTP Redirect such as by using the built-in HTTP Redirect module, the URL Rewrite module, or load balancer–based redirects. Contact the administrator who set up the redirect to assist with adjusting the redirect configuration.
Sample redirect configurations
If the server is already configured with URL Rewrite–based redirection, adding an additional rule as follows above the existing rule will cause all requests for favicon.ico to be ignored when the URL Rewrite rules run:
If the server is configured with HTTP Redirect–based redirection, setting the enabled flag to False for the favicon.ico file will cause the HTTP Redirect module to ignore requests for favicon.ico. You can do this by running the following AppCmd line:
appcmd.exe set config "Default Web Site/favicon.ico" -section:system.webServer/httpRedirect /enabled:"False" /commit:Site