When users have the same token assigned twice (duplicate token) the user may be unable to authenticate to the Defender Security Server (DSS). Error in DSS log, "LDAP Failed: (20) writing user data for CN=username"
This can occur if the user authenticates to two different DSS servers, each DSS authenticating to an LDAP server in a different site, before the site replication can occur with a domain functional level of 2008 or higher.
The issue is caused by the way that multi-value linked attributes are handled by Microsoft Active Directory (AD) replication in a 2008 or higher domain functional level. In Defender this can result in the token appearing to be duplicated when authentications occur within the replication period against two different Domain Controllers within a multi-site environment where AD replication latency occurs.
WORKAROUND 1:
If this is a one time issue, that only affects one, or a small number of users, unassigning the duplicate tokens from the affected users should resolve the issue.
WORKAROUND 2:
Ensure that all DSS servers in your environment have the same list of LDAP servers in the same order. You may also want to test one at a time, to ensure they are all authenticating successfully.
SOLUTION:
If this is a widespread problem affecting many users, it may require changes to your AD configuration.
Enable Change notification on a site link as per the following Technet article:
Enable Change Notification on a Site Link
Once the above change notification is setup, the Bridge head Servers in the respective sites would perform replication as if they were in the same site. This change would speed up replication which might help from a Defender application standpoint.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center