Chat now with support
Chat with Support

Defender 6.5 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Push Notifications Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Appendix B: Troubleshooting common authentication issues

If users are experiencing problems authenticating via Defender, there are a number of possible causes, ranging from VPN issues through to individual token failures. To help identify the cause, the information below is useful to collect and send to One Identity Software Support, providing important contextual and diagnostic information.

Step 1: Gather required information

Answers to the following questions can help you get the required information about the authentication issues:

  • What error message is the user receiving? Ask the user to provide the full error message text (make a screenshot).
  • How many users are affected? The total number of Defender users is also useful to put into context.
  • Were the affected users working previously? If so, when?
  • What token types are the affected users using?
  • What Defender Security Server version and platform are being used?
  • When did the issue start occurring? It is useful to have a time approximation to help match up with the logs.
  • Have any changes been made recently? For example to any Defender components, Active Directory, VPN server, or network.

Obtain the log files from the following location on the Defender Security Server:

%ProgramFiles%\One Identity\Defender\Security Server\Logs

Additionally, obtain user IDs of several affected users. These are required to locate information related to the affected users in the Defender log files. Make sure to obtain the user IDs, not the user names.

Step 2: Analyze Defender Security Server log

The default location for the Defender Security Server log files is %ProgramFiles%\One Identity\Defender\Security Server\Logs.

To analyse the Defender Security Server log files, take the following actions:

  1. Locate an affected user in the Defender Security Server log files by searching for the user’s ID. Each request received by the Defender Security Server is recorded in the log files. The example log messages in this section show records for a user whose user ID is testuser.
  2. If the user ID cannot be found in the log, then verify that any deployed VPN servers are functioning correctly. The log message shown below would be seen for each request received by Defender regardless of whether or not it was successful.

    <Time> Radius request: Access-Request for <User Id> from <Client IP> through NAS:<Access Node Name> Request ID: <N/A> Session ID: <Unique Session ID>

  3. Using the Unique Session ID, cycle through the log messages associated with the user’s session. For example a successful session will look like this:

Tue 18 Aug 2009 11:57:10 Radius Request from 192.168.10.106:2951 Request ID: 31
Tue 18 Aug 2009 11:57:10 Radius request: Access-Request for testuser from 192.100.10.106:2951 through NAS:WebMail Request ID: 31 Session ID: 8A89040F
Tue 18 Aug 2009 11:57:10 User testuser authenticated with Active Directory Password Session ID:8A89040F
Tue 18 Aug 2009 11:57:10 Radius response: Authentication Acknowledged User-Name: testuser, Request ID: 31 Session ID: 8A89040F

  1. Locate the relevant error message reason in the table below and take the recommended actions.

 

Table 37:

Reasons Defender Security Server log error messages

Message

Meaning

Recommended actions

Reason: Invalid response

Radius response: Authentication rejected

User-Name: testuser

Incorrect token response.

  • Verify the correct response is being entered.
  • Check the response in the administration console.
  • Check if PIN configured for user.

Reason: Account locked out due to invalid attempts

Radius response: Authentication Rejected

User-Name: testuser

User’s account is locked in Defender.

Use the Defender Administration Console to reset violation count for the user.

Reason: Invalid password

Radius response: Authentication Rejected

User-Name: testuser

Incorrect Active Directory password.

Verify the correct password is being entered.

authentication abandoned user testuser

Session timed out while waiting for user response.

Verify connectivity between the client and the Defender Security Server on the configured RADIUS port.

Reason: User not valid for this route

Radius response: Authentication Rejected

User-Name: testuser

This message can be caused by one of the following:

  • User is not a member of the Access Node.
  • User does not have a token.
  • User is not a Defender user.
  • There is no license available for the user.
  • Client IP not permitted by the Access Node.
  • Verify the members of the Access Node.
  • Verify the user has a Defender token assigned.
  • Verify that suitable licenses exist.
  • Verify the IP.

Domain Search from CN=testuser,CN=Users,DC=child,DC=democor p,DC=local took 57 seconds

LDAP failed (-1)finding user testuser

Active Directory search has failed. This can happen if, for example, the child domain is unavailable.

Verify that the Defender service account has sufficient permissions or is a member of the Domain Administrators group.

LDAP failed (50) writing token data for CN=PDWIN1348400003,OU=Tokens,OU=Defender,DC=democorp,DC=local

Failed to write token data to LDAP

The Defender service account does not have sufficient permissions in Active Directory to update the user’s token information.

Verify that the Defender service account has sufficient permissions or is a member of the Domain Administrators group.

Step 3: Gather further diagnostics

If Step 1: Gather required information and Step 2: Analyze Defender Security Server log have not resolved the issue, further diagnostics may be required, including collecting environmental details and tracing. Contact One Identity Support for advice on how to enable tracing. You will need to provide the version number of the Defender Administration Console and Defender Security Server you are using. Normally, you can find the Defender trace files in the following location: %ProgramData%\One Identity\Diagnostics.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating