Defender 5.11 - Administration Guide

Step 2: Verify Defender configuration

If a hardware issue has been ruled out by the previous troubleshooting steps, and user logon is failing, refer to the steps below. Typically the user will receive the message “invalid synchronous response”. This may have a number of causes. Follow the process of elimination below to help diagnose the error.

1. Check the token violation count and reset if necessary by using the Properties dialog box provided for the user in the Active Directory Users and Computers tool (use the Defender tab). Re-test user authentication. Ask the user to retry their token.

   If the issue persists, go to the next step.

2. Check for the use of a PIN on the token. It may be that the user has forgotten to use the PIN or is using an invalid PIN. Reset PIN if necessary. Ask the user to retry their token.

   If the issue persists, go to the next step.

3. Reset the token by using the Properties dialog box provided for the user in the Active Directory Users and Computers tool (use the Defender tab). Ask the user to retry their token.

   If the issue persists, go to the next step.

4. If the user receives an “Access denied” message, make sure the user’s account is listed on the Members tab of the corresponding Access Node, or that the user’s account is a member of a group listed for the Access Node. If the user is not defined, the Defender Security Server log includes the error message “User not valid for this route”.

   If the issue is not resolved by adding the user to the Access Node, go to the next step.

5. Unassign and then re-assign the token to the user. Re-test user authentication.

Step 3: Gather further diagnostics

If Step 1: Determine type of failure and Step 2: Verify Defender configuration have not resolved the issue, further diagnostics may be required.

The following information may be useful to help diagnosis of the issue when raising a case with One Identity Support.

Default location of the Defender Security Server log files

%ProgramFiles%\One Identity\Defender\Security Server\Logs.

User and token information that may be required

• Confirmation of token type and serial number.
• What is the user ID of the user affected?
• Which organizational unit stores the user’s account in Active Directory?
• Does the user have more than one token assigned to their account?
• Has the user ever successfully logged on with this token? If so, when was the last time the user successfully logged on with the token?
• What is the error the user sees when they try to log on?
• Do other or all users authenticating via the same route (for example, VPN) experience the same issue?
• Can a helpdesk response be assigned for this user successfully?

Test token

Test the token response in the Active Directory Users and Computers tool: Open the Properties dialog box for the user, click the Defender tab, select token, click Test, and then enter the token response from the token.

Appendix D: Defender classes and attributes in Active Directory

This appendix provides information about the following Microsoft Active Directory schema object classes and attributes:

• Classes defined by Defender
• Classes extended by Defender
• Attributes defined by Defender

Classes defined by Defender

The following is the list of Microsoft Active Directory schema classes that are specifically defined by Defender. Each class has been listed in accordance with the Active Directory schema definitions format as used in the MSDN documentation (for further details, see information on Active Directory Schema published in MSDN at http://msdn.microsoft.com/en-us/library/ms675085(VS.85).aspx). Only attributes that are specific to Defender have been listed; all other attributes are as per the MSDN documentation provided for each respective subclass.

In this section:

• defender-tokenClass
• defender-danClass
• defender-dssClass
• defender-policyClass
• defender-licenseClass
• defender-radiusPayloadClass
• defender-tokenLicenseClass