Skip to main content
commvault.com commvault.com
Solved

CommCell Console login fails with "Invalid username/password" when email OTP is disabled and Microsoft Authenticator is enabled

  • February 11, 2026
  • 2 replies
  • 30 views
B
Novice
Forum|alt.badge.img

Hello,

We are testing Two-Factor Authentication on Commvault Platform Release 11.36.83.

Configuration:

- Two-Factor Authentication enabled at CommCell level
- Microsoft Authenticator configured and tested successfully for local admin user
- Email based OTP working correctly
- Windows Integrated Authentication enabled for domain users 

Test scenario:

1. Email OTP enabled → Login via CommCell Console works (password + TOTP appended)
2. Email OTP disabled (enabled "Do not send email with PIN for two-factor authentication")
3. Attempt login via CommCell Console using:
   password + current TOTP code (Microsoft Authenticator)

Result:
Login fails with "Invalid username/password"

Questions:

  • Is Microsoft Authenticator (TOTP) supported as the only second factor for CommCell Console login, without email based OTP enabled
  • Is email based OTP required for CommCell Console login?
  • Is this expected product behavior or a configuration issue?

Thank you.
 

Best answer by Dheeraj Shetty

Hi ​@Bulent Batikan Sarikaya,

Commvault 2FA supports PINs generated by authenticator apps (TOTP per RFC‑6238) and these PINs work for the CommCell Console. Users can log in by entering password + 6‑digit PIN (no space). Email is only one way to acquire a PIN; mobile authenticator apps are another.

Email PIN is not required if users are enrolled with a TOTP secret (Microsoft Authenticator / Google Authenticator) and enter the password immediately followed by the 6‑digit code.

This is not expected the product behavior. With 2FA enabled, disabling “send PIN by email” (https://documentation.commvault.com/additionalsetting/disabletfaemail.html) merely stops email delivery; it does not disable the PIN requirement nor prevent TOTP use. “Invalid username/password” typically occurs when the PIN isn’t accepted (secret not set, time drift, formatting, etc.)


- Could you please try to Reissue a secret key for 2FA for a test user using this doc : https://documentation.commvault.com/11.40/software/reissuing_secret_key_for_two_factor_authentication_administrator.html 
- Check the NTP/time settings on the CommServe/Web Server and the user’s phone. Use a fresh 30-second code.
- In CommCell Console, enter: Password123456 (password immediately followed by the 6-digit code, no spaces).
- Try logging in to Command Center and see if it works.
- Check the EvMgrS.log and WebServer.log at login time to see if there are any PIN validation errors.

Regards,
Dheeraj

2 replies

B
Novice
Forum|alt.badge.img

Hey Commvault community, Is there anybody knows about 2FA issue?

D
Vaulter
Forum|alt.badge.img+9

Hi ​@Bulent Batikan Sarikaya,

Commvault 2FA supports PINs generated by authenticator apps (TOTP per RFC‑6238) and these PINs work for the CommCell Console. Users can log in by entering password + 6‑digit PIN (no space). Email is only one way to acquire a PIN; mobile authenticator apps are another.

Email PIN is not required if users are enrolled with a TOTP secret (Microsoft Authenticator / Google Authenticator) and enter the password immediately followed by the 6‑digit code.

This is not expected the product behavior. With 2FA enabled, disabling “send PIN by email” (https://documentation.commvault.com/additionalsetting/disabletfaemail.html) merely stops email delivery; it does not disable the PIN requirement nor prevent TOTP use. “Invalid username/password” typically occurs when the PIN isn’t accepted (secret not set, time drift, formatting, etc.)


- Could you please try to Reissue a secret key for 2FA for a test user using this doc : https://documentation.commvault.com/11.40/software/reissuing_secret_key_for_two_factor_authentication_administrator.html 
- Check the NTP/time settings on the CommServe/Web Server and the user’s phone. Use a fresh 30-second code.
- In CommCell Console, enter: Password123456 (password immediately followed by the 6-digit code, no spaces).
- Try logging in to Command Center and see if it works.
- Check the EvMgrS.log and WebServer.log at login time to see if there are any PIN validation errors.

Regards,
Dheeraj

    Terms & ConditionsCookie settingsAccessibility statement