Answers to the following questions can help you get the required information about the authentication issues:
- What error message is the user receiving? Ask the user to provide the full error message text (make a screenshot).
- How many users are affected? The total number of Defender users is also useful to put into context.
- Were the affected users working previously? If so, when?
- What token types are the affected users using?
- What Defender Security Server version and platform are being used?
- When did the issue start occurring? It is useful to have a time approximation to help match up with the logs.
- Have any changes been made recently? For example to any Defender components, Active Directory, VPN server, or network.
Obtain the log files from the following location on the Defender Security Server:
%ProgramFiles%\One Identity\Defender\Security Server\Logs
Additionally, obtain user IDs of several affected users. These are required to locate information related to the affected users in the Defender log files. Make sure to obtain the user IDs, not the user names.