-
Title
Defender token failure troubleshooting steps -
Description
If you are an end user, please contact the Defender administrator within your organization, indicating if this is a software or hardware (e.g. GO 3 token) token failure, and the symptoms you are experiencing.
If you are a Defender administrator, first determine if this is a software or hardware token failure. If this is a software token, refer to the troubleshooting steps in the "Resolution" section.
If this is a hardware token and six digits are displayed but authentication is unsuccessful, refer to the troubleshooting steps below. If the display is unusual or blank, refer to Knowledge Article 45444, How to deal with Defender hardware token failures
For more detailed troubleshooting for 'GO' hardware tokens, please refer to Knowledge Article 48828, How to troubleshoot Defender 'GO' token issues. -
Resolution
The Defender administrator should perform the following troubleshooting steps:
1. Check the 'Token Violation' count and reset if necessary: User's "Properties" page, "Defender" tab. Re-test user authentication.
2. 'Reset' the token: User's "Properties" page in AD Users & Computers, "Defender" tab, Select Token, Click on the 'Helpdesk' button and select 'Reset'. Re-test user authentication.
3. Check for the use of a PIN on the token. It may be that the user has forgotten to use the PIN or is using an invalid PIN - reset PIN if necessary.
4. Test the token response in AD Users & Computers - Users Properties page in AD Users & Computers, Defender tab, Select Token, Click on the 'Test' button and enter the token response from the token. This will confirm whether the token is generating valid responses.
5. For software tokens only - Check the date, time and timezone on the workstation or device - this needs to match the DSS. If different modify the settings on the device and re-test.
6. Depending on the token type:
Software tokens: Delete the Desktop token from the workstation or device and unassign from the user in AD Users & Computers, selecting the option to also delete the token when prompted. Program a new token for the user and activate the token on the users workstation. Re-test authentication either via the access device, or by providing the next token response to the administrator for testing within AD Users & Computers.
Hardware tokens: Unassign and re-assign the token to the user. Re-test user authentication.
If the user is still unable to authenticate, please gather the DSS logs for further diagnostics (to be provided to Support), Locating the Defender Security Server Audit Log.