• No results found

Quick Troubleshooting Guide: Authentication Issues

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Quick Troubleshooting Guide: Authentication Issues"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

Defender

Quick Troubleshooting Guide: Authentication Issues

Introduction

This guide is provided for use by Defender administrators to help troubleshoot common Defender authentication issues. It also provides information on how to gain additional diagnostics for use by Quest Support.

Troubleshooting Common Authentication Issues

General Authentication Issues

If users are experiencing problems authenticating via an existing Defender system, there are a number of possible causes, ranging from VPN issues through to individual token failures.

To help identify the cause, the information below is useful to collect and send to Quest Support, providing important contextual and diagnostic information.

For help understanding specific log messages, refer also to Analyzing the Defender Security Server log in the following section.

Troubleshooting Stage 1: Gathering the Required Information

1. What error message is the user receiving? Screenshot or copy and paste the full error message. 2. How many users are affected? The total number of Defender users is also useful to put into context. 3. Were the affected users working previously? If so when?

4. What token type(s) are the affected users using? Go-3, Desktop Token, Quest® Soft Token for BlackBerry etc. 5. What version and platform of Defender is being used? The Defender Security Server version is available

under Security Servers in the Administration Console, eg 5.5.0.907 on Windows 2003 32bit.

6. When did the issue start occurring? It is useful to have a time approximation to help match up with the logs.

7. Have any changes been made recently? For example to Defender, Active Directory, VPN server or network etc?

8. Obtain a copy of the Defender Security Server log. Location: <DEFENDER_HOME>\DSS Active Directory Edition\Logs\

9. Obtain a couple of user IDs of the affected users. These are required to locate the user in the log. Make sure to obtain the user’s user ID rather than the user’s name.

(2)

Defender Quick Troubleshooting Guide: Authentication Issues

2

Troubleshooting Stage 2: Analyzing the Defender Security Server log

The default location for the Defender Security Server log is:

<DEFENDER_HOME>\DSS Active Directory Edition\Logs\

Follow the steps below:

1. Try to locate an affected user in the DSS log by searching for their user ID. Each request received by Defender will appear in the DSS log. The examples below show a user ID of ‘testuser’.

If the user ID cannot be found in the log then verify that any deployed VPN servers

are functioning correctly. See also Go-x token issues to help rule out hardware token failures.

The log message shown below would be seen for each request received by Defender regardless of whether or not it was successful.

<Time> Radius request: Access-Request for <Userid> from <Client_IP> through NAS:<Access Node Name> Request ID: <N/A> Session ID: <Unique Session ID>

2. Using the Unique Session ID, cycle through the log messages associated with the user’s session. For example a successful session will look like:

Tue 18 Aug 2009 11:57:10 Radius Request from 192.168.10.106:2951 Request ID: 31 Tue 18 Aug 2009 11:57:10 Radius request: Access-Request for testuser from 192.100.10.106:2951 through NAS:WebMail Request ID: 31 Session ID: 8A89040F

Tue 18 Aug 2009 11:57:10 User testuser authenticated with Active Directory Password Session ID:8A89040F

Tue 18 Aug 2009 11:57:10 Radius response: Authentication Acknowledged User-Name: testuser, Request ID: 31 Session ID: 8A89040F

(3)

Defender Quick Troubleshooting Guide: Authentication Issues

3

3. Locate the relevant error message in the table below and take the appropriate action:

Log Message Meaning Action

Tue 18 Aug 2009 10:28:38 Reason: Invalid response Session ID 8A74430E

Tue 18 Aug 2009 10:28:38 Radius response: Authentication Rejected User-Name: testuser, Request ID: 4 Session ID: 8A74430E

Incorrect token response

i) Verify the correct response is being entered. ii) Check the response in the administration con- sole.

iii) Check if PIN configured for user. Tue 18 Aug 2009 11:51:30 Reason: Account

locked out due to invalid attempts Session ID 8A87B20B

Tue 18 Aug 2009 11:51:30 Radius response: Authentication Rejected User-Name: testuser, Request ID: 28 Session ID: 8A87B20B

User’s account is locked in Defender

Reset the user’s “Violation Count” via the administration console

Tue 18 Aug 2009 11:09:09 Reason: Invalid password Session ID 8A7D911C

Tue 18 Aug 2009 11:09:09 Radius response: Authentication Rejected User-Name: testuser, Request ID: 12 Session ID: 8A7D911C

Incorrect AD Password

Verify the correct password is being entered

Tue 18 Aug 2009 11:39:07 authentication abandoned user testuser Session ID: 8A83ED05

Session Abandoned (timed out) while waiting for user response

Verify connectivity between the Client and the DSS on the configured RADIUS port

Tue 18 Aug 2009 11:30:16 Reason: User not valid for this route Session ID 8A82B803 Tue 18 Aug 2009 11:30:16 Radius response: Authentication Rejected User-Name: testuser, Request ID: 23 Session ID: 8A82B803

User is not a member of access node or

User does not have a token

or

User is not a Defender user or there is no license available for the user

or

Client IP not permitted by the access node

i) Verify the members of the access node ii) Verify the user has a Defender token assigned iii) Verify that suitable licenses exist

iv) Verify the IP

Tue 18 Aug 2009 10:15:38 Domain Search from CN=testuser,CN=Users,DC=child,DC=democor p,DC=local took 57 seconds

Tue 18 Aug 2009 10:15:38 LDAP failed (-1) finding user testuser

AD search failure - for example if the required child domain is unavailable

Check DSS Log for errors relating to DC or LDAP connection

Tue 18 Aug 2009 11:22:06 LDAP failed (50) writing token data for

CN=PDWIN1348400003,OU=Tokens,OU=Defe nder,DC=democorp,DC=local

Tue 18 Aug 2009 11:22:06 Failed to write token data to LDAP Session ID 8A80CE0C

Insufficient AD permissions to update the user’s token information for the Defender service account

Verify that the Defender service account has suitable permissions or is a member of the domain administrators group

(4)

Defender Quick Troubleshooting Guide: Authentication Issues

4

Troubleshooting Stage 3: Gathering Further Diagnostics

If the above troubleshooting steps have not resolved the issue, further diagnostics may be required, including further environmental details and tracing.

Contact Quest Support for advice on how to enable tracing. They will need to know which version of console and/or DSS is being used:

• Administration Console (MMC snap-in) – The About dialog contains the version information for the console. This can be found on the Defender menu option which is available when the Defender OU is selected within AD Users & Computers.

• Defender Security Server – The version number for the DSS can be found on the DSS

Properties dialog within AD Users & Computers or from within the DSS logs.

In general, trace files are located in:

For 2003/XP

C:\Documents and Settings\All Users\Application Data\Quest Software\Diagnostics

or

C:\Document and Settings\All Users\Application Data\PassGo Technologies\Diagnostics

For 2008/Vista

(5)

Defender Quick Troubleshooting Guide: Authentication Issues

5

Go-x Token Issues

This section is designed to facilitate the troubleshooting process for Defender Go-x, eg Go-3, token issues in particular.

It is designed for use by Defender Helpdesk users, who may receive an initial report from a user that their token is ‘not working’.

Troubleshooting Stage 1: Determining the Type of Failure

1. Confirm the token type. The instructions provided in this guide are only for troubleshooting Go-x tokens.

Figure 1: Defender Go-3 Token

Figure 2: Defender Go-6 Token

If a user reports a software token as ‘not working’, please refer to the previous section and/or

Quest Knowledgebase solution SOL45446. 2. Determine if this is a token hardware failure:

If the answer is Yes to any of the following questions, refer to the Token returns procedure described in Quest Knowledgebase solution SOL45444.

Does the token only display ‘000000’?

Is the token display blank when the token button is pressed? Is the token display intermittent?

Does the token display the same number every time? Note that the number is set to change every 36 seconds.

Does the token display batt x, where x indicates the number of months the battery has left? If the answer is No to the above questions, go to the next step.

(6)

Defender Quick Troubleshooting Guide: Authentication Issues

6

3. Does the token display dp G0-3 before a number is displayed?

If so, this means the token is set to display it’s type, ie Digipass Go-3, before the number – this is not an error. Ask the user to log on with the number displayed – if this is not successful go to the next step.

If a six digit number is displayed immediately, go to the next step.

4. If a token number is displayed as expected, but logon fails, further investigation within Defender and Active Directory may be required.

Gather and record the following information:

Has the user ever successfully logged on with this token? If so, when was the last time the user successfully logged on with the token?

What is the user ID and the token serial number? What is the error the user sees when they try to log on?

(7)

Defender Quick Troubleshooting Guide: Authentication Issues

7

Troubleshooting Stage 2: Verifying the Defender Configuration

If a hardware issue has been ruled out by the previous steps, and user logon is failing, refer to the steps below.

Typically the user will receive the message ‘invalid synchronous response’ – this may have a number of causes. Follow the process of elimination below to help diagnose the error.

1. Check the Token Violation count and reset if necessary - username Properties page,

Defender tab. Re-test user authentication. Ask the user to retry their token.

If the issue is not resolved, go to the next step.

2. Check for the use of a PIN on the token. It may be that the user has forgotten to use the PIN or is using an invalid PIN - reset PIN if necessary. Ask the user to retry their token.

If the issue is not resolved, go to the next step.

3. Reset the token - username Properties page in AD Users & Computers, Defender tab, Select

Token, click the Helpdesk button and select Reset. Ask the user to retry their token.

If the issue is not resolved, go to the next step.

4. If the user receives an ‘Access Denied’ message, check whether their account is listed on the

Members tab of the access node that they are using, or that their account is a member of a group

listed for the access node. The DSS log will show the error message ‘User not valid for this route’ if the user is not defined.

If the issue is not resolved by adding the user to this access node, go to the next step. 5. Unassign and re-assign the token to the user. Re-test user authentication.

If the user is still unable to authenticate using their token, refer to the next section for guidance on raising this issue with Quest Support.

(8)

Defender Quick Troubleshooting Guide: Authentication Issues

8

Troubleshooting Stage 3: Gathering Further Diagnostics

The following information may be useful to help diagnosis of the issue when raising with Quest Support. It is use- ful to also indicate any relevant observations from the results of the tests on the previous pages. Diagnostics:

• Send the DSS logs corresponding to the time of the authentication request from

<DEFENDER_HOME>\DSS Active Directory Edition\Logs\.

User/Token Information:

• Confirmation of token type, ie Go-3 and serial number.

• Confirmation of token color, ie blue Quest-branded or black PassGo-branded. • What is the User ID of the user affected?

• Which OU stores the user’s account in AD?

• Does the user have more than one token assigned to their account? Circumstantial Information:

• Has the user ever successfully logged on with this token?

• If so, when was the last time the user successfully logged on with the token? • What is the error the user sees when they try to log on?

• Do other/all users authenticating via the same route, eg VPN, experience the same issue? • Can a helpdesk response be assigned for this user successfully?

Token Verification:

Determine whether the token tests successfully or not via the Defender Administration Console by running the following test:

Test the token response in AD Users & Computers - username Properties page in AD Users &

Computers, Defender tab, Select Token, click the Test button and enter the token response from the token.

2012 Quest Software, Inc. ALL RIGHTS RESERVED.

Quest, Quest Software and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc. in the United States of America and other countries. Other trademarks and registered trademarks are property of their respective owners.

References

Download now ( PDF - 8 Page - 152.30 KB )

Related documents

Ce-Am Facut Cand Am Tacut Andreea Esca

our options. This gives you clear water, so you are not riding the wakes of the other boats, and you get clear air. When it got light and lumpy we had the space to put the bow

The Rubik User s Guide

Rubik allows you to find the order of any macro. Type the macro into the Current Macro input area and press the Macro Order button. The result is displayed in a window. Try

As necessidades de capital

Fonte: Rui Baptista, slides de apoio à disciplina de Organização e Gestão das Instituições Financeiras, Business School, Pós Graduação em Gestão Bancária e Seguradora, Coimbra..

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

In the User ID field, fill in the user name of the Active Directory user that will be used to connect to the Tivoli Integrated portal using SPNEGO authentication (not the spnusr1

Web Page Manual. GOLD RX, PX, CX, SD, Program Version 1.20

Users Service user Authentication method AUTHENTICATION METHOD Installation user Local user User 4 User 5 User 6 User 7 User 8 User 9 User 10 AUTHENTICATION METHOD SERVICE

Sikeston Career & Technology Center

This class is designed for those with little to no com- puter knowledge and will get you started understanding Windows terminology, keyboarding and mouse skills,

Section 4 Application Description - LDAP

An authentication request appears on the users screen and if the user authenticates with a name/password of a user in the Active Directory the user will be able to make a telnet

NS_PracticeProblems

A viscous, incompressible, Newtonian liquid flows in steady, laminar, planar flow down a vertical wall.. The thickness, , of the liquid film