Defender 5.9.3 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Integration with Cloud Access Manager Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Appendix C: Troubleshooting DIGIPASS token issues

Appendix C: Troubleshooting DIGIPASS token issues

Steps to troubleshoot DIGIPASS hardware token issues are:

Step 1: Determine type of failure

Step 1: Determine type of failure

  1. Determine if this is a token hardware failure.

    If the answer is Yes to any of the next questions, refer to the steps described in One Identity Knowledge Article SOL45444 “Defender token failures” available at https://support.oneidentity.com/defender/kb/45444.

    • Does the token only display 000000?
    • Is the token display blank when the token button is pressed?
    • Is the token display intermittent?
    • Does the token display the same number every time? Note that the number is set to change every 36 seconds.
    • Does the token display batt x, where x indicates the number of months the battery has left?

    If the answer to the above questions is No, go to the next step.

  2. Does the token display dp G0 7 before a number is displayed?

    If so, this means the token is set to display it’s type, that is, DIGIPASS GO 7, before the number. This is not an error. Ask the user to log on with the number displayed. If this is not successful, go to the next step.

    If a six digit number is displayed immediately, go to the next step.

  3. If a token number is displayed as expected, but logon fails, further investigation within Defender and Active Directory may be required.

    Gather and record the following information:

    • Has the user ever successfully logged on with this token, if so, when was the last time the user successfully logged on with the token?
    • What are the user ID and the token serial number?
    • What is the error the user sees when they try to log on?

Step 2: Verify Defender configuration

Step 2: Verify Defender configuration

If a hardware issue has been ruled out by the previous troubleshooting steps, and user logon is failing, refer to the steps below. Typically the user will receive the message “invalid synchronous response”. This may have a number of causes. Follow the process of elimination below to help diagnose the error.

  1. Check the token violation count and reset if necessary by using the Properties dialog box provided for the user in the Active Directory Users and Computers tool (use the Defender tab). Re-test user authentication. Ask the user to retry their token.

    If the issue persists, go to the next step.

  2. Check for the use of a PIN on the token. It may be that the user has forgotten to use the PIN or is using an invalid PIN. Reset PIN if necessary. Ask the user to retry their token.

    If the issue persists, go to the next step.

  3. Reset the token by using the Properties dialog box provided for the user in the Active Directory Users and Computers tool (use the Defender tab). Ask the user to retry their token.

    If the issue persists, go to the next step.

  4. If the user receives an “Access denied” message, make sure the user’s account is listed on the Members tab of the corresponding Access Node, or that the user’s account is a member of a group listed for the Access Node. If the user is not defined, the Defender Security Server log includes the error message “User not valid for this route”.

    If the issue is not resolved by adding the user to the Access Node, go to the next step.

  5. Unassign and then re-assign the token to the user. Re-test user authentication.

Step 3: Gather further diagnostics

Step 3: Gather further diagnostics

If Step 1: Determine type of failure and Step 2: Verify Defender configuration have not resolved the issue, further diagnostics may be required.

The following information may be useful to help diagnosis of the issue when raising a case with One Identity Support.

Default location of the Defender Security Server log files

%ProgramFiles%\One Identity\Defender\Security Server\Logs.

User and token information that may be required

  • Confirmation of token type and serial number.
  • What is the user ID of the user affected?
  • Which organizational unit stores the user’s account in Active Directory?
  • Does the user have more than one token assigned to their account?
  • Has the user ever successfully logged on with this token? If so, when was the last time the user successfully logged on with the token?
  • What is the error the user sees when they try to log on?
  • Do other or all users authenticating via the same route (for example, VPN) experience the same issue?
  • Can a helpdesk response be assigned for this user successfully?

Test token

Test the token response in the Active Directory Users and Computers tool: Open the Properties dialog box for the user, click the Defender tab, select token, click Test, and then enter the token response from the token.

Documentos relacionados