The default location for the Defender Security Server log files is %ProgramFiles%\One Identity\Defender\Security Server\Logs.
To analyse the Defender Security Server log files, take the following actions:
- Locate an affected user in the Defender Security Server log files by searching for the user’s ID. Each request received by the Defender Security Server is recorded in the log files. The example log messages in this section show records for a user whose user ID is testuser.
- If the user ID cannot be found in the log, then verify that any deployed VPN servers are functioning correctly. The log message shown below would be seen for each request received by Defender regardless of whether or not it was successful.
<Time> Radius request: Access-Request for <User Id> from <Client IP> through NAS:<Access Node Name> Request ID: <N/A> Session ID: <Unique Session ID>
- Using the Unique Session ID, cycle through the log messages associated with the user’s session. For example a successful session will look like this:
Tue 18 Aug 2009 11:57:10 Radius Request from 192.168.10.106:2951 Request ID: 31
Tue 18 Aug 2009 11:57:10 Radius request: Access-Request for testuser from 192.100.10.106:2951 through NAS:WebMail Request ID: 31 Session ID: 8A89040F
Tue 18 Aug 2009 11:57:10 User testuser authenticated with Active Directory Password Session ID:8A89040F
Tue 18 Aug 2009 11:57:10 Radius response: Authentication Acknowledged User-Name: testuser, Request ID: 31 Session ID: 8A89040F
- Locate the relevant error message reason in the table below and take the recommended actions.
Message |
Meaning |
Recommended actions |
|
Incorrect token response. |
|
|
User’s account is locked in Defender. |
Use the Defender Administration Console to reset violation count for the user. |
|
Incorrect Active Directory password. |
Verify the correct password is being entered. |
|
Session timed out while waiting for user response. |
Verify connectivity between the client and the Defender Security Server on the configured RADIUS port. |
Radius response: Authentication Rejected User-Name: testuser |
This message can be caused by one of the following:
|
|
|
Active Directory search has failed. This can happen if, for example, the child domain is unavailable. |
Verify that the Defender service account has sufficient permissions or is a member of the Domain Administrators group. |
|
The Defender service account does not have sufficient permissions in Active Directory to update the user’s token information. |
Verify that the Defender service account has sufficient permissions or is a member of the Domain Administrators group. |