This guide is provided for Helpdesk and second-line support administrators within your organization, and is designed to facilitate the troubleshooting process for Defender 'GO' token (e.g. GO 6, GO 7) issues. The instructions below assume the user has reported that their token is not working.
Confirm the token type: for example, GO 6 Defender Handheld token (a hardware token). The instructions provided in this guide are only for troubleshooting 'GO' tokens.
Note: If a user reports a software token or an issue with non GO hardware token as not working, please refer to Knowledge Article 45446, Defender token failure troubleshooting steps.
Determine if this is a 'GO' token hardware failure:
If the answer is 'Yes' to any of the following questions, refer to the token returns procedure described in Knowledge Article 45444, How to deal with Defender hardware token failures.
- Does the token turn on?
- Does the token only display 000000?
- Is the token display blank?
- Is the token display intermittent?
- Does the token display the same number every time? Note: the number is set to change every 36 seconds.
- Does the token display batt x, where x indicates the number of months the battery has left?
If the answer is "No" to the above questions, please see the resolution below.
1. Does the token display "dp 60-3" before a number is displayed?
If so, this means the token is set to display its type, i.e.: Digipass GO 3, before the number this is not an error. Ask the user to log on with the number displayed if this is not successful go to the next step. If a six digit number is displayed immediately, go to the next step.
2. If a token number is displayed as expected, but logon fails, further investigation within the Defender administration and Active Directory may be required.
Gather and record the following information:
- Has the user ever successfully logged on with this token?
- If so, when was the last time the user successfully logged on with the token?
- What is the user ID and the token serial number?
- What is the error the user sees when they try to log on?
Note: Typically the user will receive the message invalid synchronous response this may be due to a variety of causes. Follow the process of elimination below to help diagnose the error.
3. Check the Token Violation count and reset if necessary - user accounts Properties page, Defender tab. Re-test user authentication. Ask the user to retry their token.
4. Check for the use of a PIN on the token. It may be that the user has forgotten to use the PIN or is using an invalid PIN - reset PIN if necessary. Ask the user to retry their token.
5. Reset the token - Users Properties page in AD Users & Computers, Defender tab, Select Token, Click on the Helpdesk button and select Reset. Ask the user to retry their token.
6. If the user receives an Access Denied message, check if their account is listed on the Members tab of the access node that they are using, or is a member of a group listed for the access node. The DSS log will show the error message User not valid for this route if the user is not defined.
NOTE: The route error can also be triggered if the user does not have a token assigned to their account, but is a part of the membership.
7. Unassign and re-assign the token to the user. Re-test user authentication.
8. In Active Directory check the security permissions are set correctly for both the user and the assigned token, refer to Knowledge Article 48830, Defender GO token Active Directory permission checklist.