In the DSS logs the following errors appear:
"LDAP failed (50) writing user data for [UserCN]"
"LDAP failed (50) writing token data for CN=[TokenCN]"
"Ldap failed (Insufficient Rights) writing DSS status"
Users who are trying to authenticate via Defender receive the response "Invalid synchronous response"
The service account used by Defender (set in Defender Security Server Configuration | Active Directory LDAP | Account name) does not have the necessary permissions to administrator the Defender users/tokens.
Use the Delegation Wizard to apply the correct permissions for the service account: How to delegate permissions in Defender using the Delegation Wizard
- Run ADUC (Active Directory Users and Computer)
- Select the Defender Menu
- Select Delegate Control...
- Select the service account Defender is configured to use by clicking Add... Click Next:
- Select "Defender Security Server" then click Next:
- Click Add... to Select the OU where to apply these permissions, ensuring all Defender Users are included. Click Next:
- Click Add... to Select the OU where to apply these permissions, ensuring all License, Tokens, DSS, Access Nodes, Policies and Payloads are included. The default container, Defender, will already be entered here.
- Click Next then click Finish.