Defender GO token Active Directory permission checklist (4265019)

Defender GO token Active Directory permission checklist

A user may receive the error message, "Invalid synchronous response" when attempting to authenticate with a Defender GO token.  The troubleshooting steps outlined in Knowledge Article 48828, How to troubleshoot Defender 'GO' token issues, have been performed, but the issue persists.

The permissions on the token or the user object in Active Directory may be incorrect.

Token permissions check

1. Make a note of the user that has an Invalid synchronous response message when a temporary helpdesk has been assigned.

2. Open Active Directory Users and Computers.

3. Navigate to the users token within Active Directory Users and Computers.

4. Double click on the problem Token.

5. Click on the Security tab (ensure View, Advanced Features is enabled).

6. Click on the Defender Security Server user account (see sample print screen below).

7. Click on the Advanced button. This will load an Advanced Security option.

8. Select the Defender Security Server user account again and click the Edit button.

9. Verify that the Read defender-tokenData and Write defender-tokenData are checked (see following screen capture).

Note: These permissions are inherited from the parent OU if Allow Inheritable permissions from the parent to propagate to this object and all child objects is enabled.


User permission check

1. Make a note of the user that has an Invalid synchronous response message when a temporary helpdesk has been assigned.

2. Open Active Directory Users and Computers.

3. Navigate to the users Active Directory account within Active Directory Users and Computers.

4. Double click on the users account in Active Directory.

5. Click on the Security tab.

6. Click on the Defender Security Server user account (see example screen capture following).

7. Click on the Advanced button.

8. Under the Permission tab, navigate to the Defender Security Server user account and select Edit for each permission right.

Note: These permissions are inherited from the parent OU if Allow Inheritable permissions from the parent to propagate to this object and all child objects is enabled.

The following information may be useful to help diagnosis your issue when opening a service request with Support. Please indicate any relevant observations from the results of the tests you have made. Diagnostics: Please send the DSS logs corresponding to the time of the token failure. User/token information: - Confirmation of token type, ie GO-6/7 and serial number - What is the User ID of the user affected? - Which OU stores the users account in AD? - Does the user have more than one token assigned to their account? Circumstantial information: - Has the user ever successfully logged on with this token? - If so, when was the last time the user successfully logged on with the token? - What is the error the user sees when they try to log on? - Do other/all users authenticating via the same route, eg VPN, experience the same issue? - Can a helpdesk response be assigned for this user successfully? Token verification: Please indicate if the token tests successfully or not via the Defender console by running the following test: Test the token response in AD Users & Computers: User's "Properties" page | Defender tab | Select Token | Click on the Test button and enter the token response from the token.