Recent Changes - Search:


Troubleshooting Google Authenticator Issues

Troubleshooting Google Authenticator Issues

Tags: 2FA Authentication Methods

Problem Definition

One-Time Passcodes (OTPs) from Google Authenticator or PortalGuard's Mobile App are no longer being accepted. Even re-enrolling the apps on the PortalGuard Account Management page by taking a picture of a new QR code fails.


Google Authenticator’s Time-based OTPs (TOTPs) change every 30 seconds. PortalGuard will honor the “previous”, “current”, and “next” OTPs (a 90 second window) but if the clock on the PortalGuard server is anything more than 1 minute slow or 1 minute fast, then it will cause validation problems. For TOTPs, clock skew on the PortalGuard server is a legitimate problem. You can see the current, correct time at


Below are the registry settings to configure the PortalGuard server to use the Network Time Protocol (NTP) to pull the time from an external NTP server instead of a local Domain Controller (which can skew).

Registry settings

1) HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

REG_DWORD value: 5

2) HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

REG_SZ value: NTP

3) HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

REG_SZ value:,0x1
NOTE: The default is,0x1. If you use a DNS name, then you add ",0x1" to the DNS name to indicate it's a DNS name and not an IP.

4) Open an Administrative Command Prompt and run the following commands to restart the Windows Time Service:

net stop w32time
net start w32time

5) To tell your system to sync immediately, run the following command from the Administrative Command Prompt:

w32tm /resync /rediscover

With these settings in place, we recommend using Windows Task Scheduler to automatically run the following command daily (e.g. every morning at 2:00am) to ensure the PortalGuard server clock stays in sync:

w32tm /resync /rediscover
Page last modified on April 27, 2016, at 09:18 AM