Chat now with support
Chat with Support

Defender 6.6 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Step 3: Gather further diagnostics

If Step 1: Gather required information and Step 2: Analyze Defender Security Server log have not resolved the issue, further diagnostics may be required, including collecting environmental details and tracing. Contact One Identity Support for advice on how to enable tracing. You will need to provide the version number of the Defender Administration Console and Defender Security Server you are using. Normally, you can find the Defender trace files in the following location: %ProgramData%\One Identity\Diagnostics.

Appendix C: Troubleshooting DIGIPASS token issues

Steps to troubleshoot DIGIPASS hardware token issues are:

Step 1: Determine type of failure

  1. Determine if this is a token hardware failure.

    If the answer is Yes to any of the next questions, refer to the steps described in One Identity Knowledge Article SOL45444 “Defender token failures”.

    • Does the token only display 000000?
    • Is the token display blank when the token button is pressed?
    • Is the token display intermittent?
    • Does the token display the same number every time? Note that the number is set to change every 36 seconds.
    • Does the token display batt x, where x indicates the number of months the battery has left?

    If the answer to the above questions is No, go to the next step.

  2. Does the token display dp G0 7 before a number is displayed?

    If so, this means the token is set to display it’s type, that is, DIGIPASS GO 7, before the number. This is not an error. Ask the user to log on with the number displayed. If this is not successful, go to the next step.

    If a six digit number is displayed immediately, go to the next step.

  3. If a token number is displayed as expected, but logon fails, further investigation within Defender and Active Directory may be required.

    Gather and record the following information:

    • Has the user ever successfully logged on with this token, if so, when was the last time the user successfully logged on with the token?
    • What are the user ID and the token serial number?
    • What is the error the user sees when they try to log on?

Step 2: Verify Defender configuration

If a hardware issue has been ruled out by the previous troubleshooting steps, and user logon is failing, refer to the steps below. Typically the user will receive the message “invalid synchronous response”. This may have a number of causes. Follow the process of elimination below to help diagnose the error.

  1. Check the token violation count and reset if necessary by using the Properties dialog box provided for the user in the Active Directory Users and Computers tool (use the Defender tab). Re-test user authentication. Ask the user to retry their token.

    If the issue persists, go to the next step.

  2. Check for the use of a PIN on the token. It may be that the user has forgotten to use the PIN or is using an invalid PIN. Reset PIN if necessary. Ask the user to retry their token.

    If the issue persists, go to the next step.

  3. Reset the token by using the Properties dialog box provided for the user in the Active Directory Users and Computers tool (use the Defender tab). Ask the user to retry their token.

    If the issue persists, go to the next step.

  4. If the user receives an “Access denied” message, make sure the user’s account is listed on the Members tab of the corresponding Access Node, or that the user’s account is a member of a group listed for the Access Node. If the user is not defined, the Defender Security Server log includes the error message “User not valid for this route”.

    If the issue is not resolved by adding the user to the Access Node, go to the next step.

  5. Unassign and then re-assign the token to the user. Re-test user authentication.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating