Quick Troubleshooting Guide: Authentication Issues

Similar documents
Defender EAP Agent Installation and Configuration Guide

Defender Configuring for Use with GrIDsure Tokens

Defender Token Deployment System Quick Start Guide

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

NETWRIX ACCOUNT LOCKOUT EXAMINER

How To Configure A Bomgar.Com To Authenticate To A Rdius Server For Multi Factor Authentication

Security Provider Integration RADIUS Server

Installation Troubleshooting Guide

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

SafeWord Domain Login Agent Step-by-Step Guide

DIGIPASS Authentication for GajShield GS Series

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

Defender Delegated Administration. User Guide

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Creation date: 09/05/2007 Last Review: 31/01/2008 Revision number: 3

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

NetWrix Account Lockout Examiner Version 4.0 Administrator Guide

Using RADIUS Agent for Transparent User Identification

Identikey Server Getting Started Guide 3.1

Two-Factor Authentication

Integrating LANGuardian with Active Directory

IIS, FTP Server and Windows

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Slide Index. Technical Support Training

Defender 5.7. Installation Guide

Troubleshooting IMAP Clients and ViewMail for Outlook in Cisco Unity Connection 8.x

Group Management Server User Guide

E-Notebook SQL 12.0 Desktop Database Migration and Upgrade Guide. E-Notebook SQL 12.0 Desktop Database Migration and Upgrade Guide

RSA Authentication Agent 7.1 for Microsoft Windows Installation and Administration Guide

Installation and Configuration Guide

RSA SecurID Ready Implementation Guide

Quest Soft Token for Windows Phone User Guide

ZyWALL OTPv2 Support Notes

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Managing User Accounts

Aventail Connect Client with Smart Tunneling

Active Directory Integration

MIGRATION GUIDE. Authentication Server

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

NetWrix Password Manager. Quick Start Guide

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

New Brunswick Internal Services Agency. RSA Self-Service Console User Guide

Check Point FDE integration with Digipass Key devices

RSA Authentication Manager 8.1 Help Desk Administrator s Guide

DPH TOKEN SELF SERVICE SITE INSTRUCTIONS:

Using LifeSize systems with Microsoft Office Communications Server Server Setup

Network Setup Instructions

Configuring User Identification via Active Directory

Phone: Fax: Box: 230

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Installation and Configuration Guide

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Connect & License Management Samantha Godfrey Winshuttle

Cloud Services ADM. Agent Deployment Guide

DIGIPASS Authentication for SonicWALL SSL-VPN

External Authentication with Windows 2012 R2 Server with Remote Desktop Web Gateway Authenticating Users Using SecurAccess Server by SecurEnvoy

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Using the ECM VPN with Windows 7

E-Notebook SQL13.0 Desktop Migration and Upgrade Guide

TECHNICAL SUPPORT GUIDE

Managing User Accounts

RSA SecurID Ready Implementation Guide

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Cisco ASA Authentication QUICKStart Guide

Kerio VPN Client. User Guide. Kerio Technologies

RSA Authentication Manager 7.1 Basic Exercises

RSA ACE/Agent 5.5 for Windows Installation and Administration Guide

HOTPin Integration Guide: DirectAccess

Phone: Fax: Box: 230

Defender 5.7. Remote Access User Guide

RSA Authentication Manager 8.1 Help Desk Administrator s Guide. Revision 1

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

KETS Enterprise VPN. Client Installation and Configuration Guide. Version 2.3

DIGIPASS CertiID. Getting Started 3.1.0

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Installing Policy Patrol on a separate machine

SCOPTEL WITH ACTIVE DIRECTORY USER DOCUMENTATION

Entrust Managed Services PKI

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

McAfee Endpoint Encryption for PC 7.0

Administration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit

Quality Center LDAP Guide

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Sophos SafeGuard Native Device Encryption for Mac quick startup guide. Product version: 7

DC Agent Troubleshooting

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

CRM to Exchange Synchronization

PC Power Down. MSI Deployment Guide

How to Use Remote Access Using Internet Explorer

Close Support Service Desk v Upgrade Guide

RSA Authentication Manager 7.1 Administrator s Guide

Active Directory Management. Agent Deployment Guide

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Citrix Access Gateway Plug-in for Windows User Guide

Transcription:

Defender Quick Troubleshooting Guide: Authentication Issues Introduction This guide is provided for use by Defender administrators to help troubleshoot common Defender authentication issues. It also provides information on how to gain additional diagnostics for use by Quest Support. Troubleshooting Common Authentication Issues General Authentication Issues If users are experiencing problems authenticating via an existing Defender system, there are a number of possible causes, ranging from VPN issues through to individual token failures. To help identify the cause, the information below is useful to collect and send to Quest Support, providing important contextual and diagnostic information. For help understanding specific log messages, refer also to Analyzing the Defender Security Server log in the following section. Troubleshooting Stage 1: Gathering the Required Information 1. What error message is the user receiving? Screenshot or copy and paste the full error message. 2. How many users are affected? The total number of Defender users is also useful to put into context. 3. Were the affected users working previously? If so when? 4. What token type(s) are the affected users using? Go-3, Desktop Token, Quest Soft Token for BlackBerry etc. 5. What version and platform of Defender is being used? The Defender Security Server version is available under Security Servers in the Administration Console, eg 5.5.0.907 on Windows 2003 32bit. 6. When did the issue start occurring? It is useful to have a time approximation to help match up with the logs. 7. Have any changes been made recently? For example to Defender, Active Directory, VPN server or network etc? 8. Obtain a copy of the Defender Security Server log. Location: <DEFENDER_HOME>\DSS Active Directory Edition\Logs\ 9. Obtain a couple of user IDs of the affected users. These are required to locate the user in the log. Make sure to obtain the user s user ID rather than the user s name.

Troubleshooting Stage 2: Analyzing the Defender Security Server log The default location for the Defender Security Server log is: <DEFENDER_HOME>\DSS Active Directory Edition\Logs\ Follow the steps below: 1. Try to locate an affected user in the DSS log by searching for their user ID. Each request received by Defender will appear in the DSS log. The examples below show a user ID of testuser. If the user ID cannot be found in the log then verify that any deployed VPN servers are functioning correctly. See also Go-x token issues to help rule out hardware token failures. The log message shown below would be seen for each request received by Defender regardless of whether or not it was successful. <Time> Radius request: Access-Request for <Userid> from <Client_IP> through NAS:<Access Node Name> Request ID: <N/A> Session ID: <Unique Session ID> 2. Using the Unique Session ID, cycle through the log messages associated with the user s session. For example a successful session will look like: Tue 18 Aug 2009 11:57:10 Radius Request from 192.168.10.106:2951 Request ID: 31 Tue 18 Aug 2009 11:57:10 Radius request: Access-Request for testuser from 192.100.10.106:2951 through NAS:WebMail Request ID: 31 Session ID: 8A89040F Tue 18 Aug 2009 11:57:10 User testuser authenticated with Active Directory Password Session ID:8A89040F Tue 18 Aug 2009 11:57:10 Radius response: Authentication Acknowledged User-Name: testuser, Request ID: 31 Session ID: 8A89040F 2

3. Locate the relevant error message in the table below and take the appropriate action: Log Message Meaning Action Tue 18 Aug 2009 10:28:38 Reason: Invalid response Session ID 8A74430E Tue 18 Aug 2009 10:28:38 Radius response: Authentication Rejected User-Name: testuser, Request ID: 4 Session ID: 8A74430E Tue 18 Aug 2009 11:51:30 Reason: Account locked out due to invalid attempts Session ID 8A87B20B Tue 18 Aug 2009 11:51:30 Radius response: Authentication Rejected User-Name: testuser, Request ID: 28 Session ID: 8A87B20B Tue 18 Aug 2009 11:09:09 Reason: Invalid password Session ID 8A7D911C Incorrect token response User s account is locked in Defender Incorrect AD Password i) Verify the correct response is being entered. ii) Check the response in the administration console. iii) Check if PIN configured for user. Reset the user s Violation Count via the administration console Verify the correct password is being entered Tue 18 Aug 2009 11:09:09 Radius response: Authentication Rejected User-Name: testuser, Request ID: 12 Session ID: 8A7D911C Tue 18 Aug 2009 11:39:07 authentication abandoned user testuser Session ID: 8A83ED05 Tue 18 Aug 2009 11:30:16 Reason: User not valid for this route Session ID 8A82B803 Tue 18 Aug 2009 11:30:16 Radius response: Authentication Rejected User-Name: testuser, Request ID: 23 Session ID: 8A82B803 Tue 18 Aug 2009 10:15:38 Domain Search from CN=testuser,CN=Users,DC=child,DC=democor p,dc=local took 57 seconds Tue 18 Aug 2009 10:15:38 LDAP failed (-1) finding user testuser Tue 18 Aug 2009 11:22:06 LDAP failed (50) writing token data for CN=PDWIN1348400003,OU=Tokens,OU=Defe nder,dc=democorp,dc=local Tue 18 Aug 2009 11:22:06 Failed to write token data to LDAP Session ID 8A80CE0C Session Abandoned (timed out) while waiting for user response User is not a member of access node or User does not have a token or User is not a Defender user or there is no license available for the user or Client IP not permitted by the access node AD search failure - for example if the required child domain is unavailable Insufficient AD permissions to update the user s token information for the Defender service account Verify connectivity between the Client and the DSS on the configured RADIUS port i) Verify the members of the access node ii) Verify the user has a Defender token assigned iii) Verify that suitable licenses exist iv) Verify the IP Check DSS Log for errors relating to DC or LDAP connection Verify that the Defender service account has suitable permissions or is a member of the domain administrators group 3

Troubleshooting Stage 3: Gathering Further Diagnostics If the above troubleshooting steps have not resolved the issue, further diagnostics may be required, including further environmental details and tracing. Contact Quest Support for advice on how to enable tracing. They will need to know which version of console and/or DSS is being used: Administration Console (MMC snap-in) The About dialog contains the version information for the console. This can be found on the Defender menu option which is available when the Defender OU is selected within AD Users & Computers. Defender Security Server The version number for the DSS can be found on the DSS Properties dialog within AD Users & Computers or from within the DSS logs. In general, trace files are located in: For 2003/XP C:\Documents and Settings\All Users\Application Data\Quest Software\Diagnostics or C:\Document and Settings\All Users\Application Data\PassGo Technologies\Diagnostics For 2008/Vista C:\Program Data Files\Quest Software\diagnostics 4

Go-x Token Issues This section is designed to facilitate the troubleshooting process for Defender Go-x, eg Go-3, token issues in particular. It is designed for use by Defender Helpdesk users, who may receive an initial report from a user that their token is not working. Troubleshooting Stage 1: Determining the Type of Failure 1. Confirm the token type. The instructions provided in this guide are only for troubleshooting Go-x tokens. Figure 1: Defender Go-3 Token Figure 2: Defender Go-6 Token If a user reports a software token as not working, please refer to the previous section and/or Quest Knowledgebase solution SOL45446. 2. Determine if this is a token hardware failure: If the answer is Yes to any of the following questions, refer to the Token returns procedure described in Quest Knowledgebase solution SOL45444. Does the token only display 000000? Is the token display blank when the token button is pressed? Is the token display intermittent? Does the token display the same number every time? Note that the number is set to change every 36 seconds. Does the token display batt x, where x indicates the number of months the battery has left? If the answer is No to the above questions, go to the next step. 5

3. Does the token display dp G0-3 before a number is displayed? If so, this means the token is set to display it s type, ie Digipass Go-3, before the number this is not an error. Ask the user to log on with the number displayed if this is not successful go to the next step. If a six digit number is displayed immediately, go to the next step. 4. If a token number is displayed as expected, but logon fails, further investigation within Defender and Active Directory may be required. Gather and record the following information: Has the user ever successfully logged on with this token? If so, when was the last time the user successfully logged on with the token? What is the user ID and the token serial number? What is the error the user sees when they try to log on? 6

Troubleshooting Stage 2: Verifying the Defender Configuration If a hardware issue has been ruled out by the previous steps, and user logon is failing, refer to the steps below. Typically the user will receive the message invalid synchronous response this may have a number of causes. Follow the process of elimination below to help diagnose the error. 1. Check the Token Violation count and reset if necessary - username Properties page, Defender tab. Re-test user authentication. Ask the user to retry their token. If the issue is not resolved, go to the next step. 2. Check for the use of a PIN on the token. It may be that the user has forgotten to use the PIN or is using an invalid PIN - reset PIN if necessary. Ask the user to retry their token. If the issue is not resolved, go to the next step. 3. Reset the token - username Properties page in AD Users & Computers, Defender tab, Select Token, click the Helpdesk button and select Reset. Ask the user to retry their token. If the issue is not resolved, go to the next step. 4. If the user receives an Access Denied message, check whether their account is listed on the Members tab of the access node that they are using, or that their account is a member of a group listed for the access node. The DSS log will show the error message User not valid for this route if the user is not defined. If the issue is not resolved by adding the user to this access node, go to the next step. 5. Unassign and re-assign the token to the user. Re-test user authentication. If the user is still unable to authenticate using their token, refer to the next section for guidance on raising this issue with Quest Support. 7

Troubleshooting Stage 3: Gathering Further Diagnostics The following information may be useful to help diagnosis of the issue when raising with Quest Support. It is use- ful to also indicate any relevant observations from the results of the tests on the previous pages. Diagnostics: Send the DSS logs corresponding to the time of the authentication request from <DEFENDER_HOME>\DSS Active Directory Edition\Logs\. User/Token Information: Confirmation of token type, ie Go-3 and serial number. Confirmation of token color, ie blue Quest-branded or black PassGo-branded. What is the User ID of the user affected? Which OU stores the user s account in AD? Does the user have more than one token assigned to their account? Circumstantial Information: Has the user ever successfully logged on with this token? If so, when was the last time the user successfully logged on with the token? What is the error the user sees when they try to log on? Do other/all users authenticating via the same route, eg VPN, experience the same issue? Can a helpdesk response be assigned for this user successfully? Token Verification: Determine whether the token tests successfully or not via the Defender Administration Console by running the following test: Test the token response in AD Users & Computers - username Properties page in AD Users & Computers, Defender tab, Select Token, click the Test button and enter the token response from the token. 2012 Quest Software, Inc. ALL RIGHTS RESERVED. Quest, Quest Software and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc. in the United States of America and other countries. Other trademarks and registered trademarks are property of their respective owners. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information