Troubleshoot Active Directory SSO (2024)

Active Directory

• Your Active Directory server is configured on a trusted or optional network
• All users have a user account on the Active Directory server
  

Firebox

• Your Firebox is configured to use Active Directory authentication for SSO
• The IPaddress of the SSOAgent is specified in the Firebox configuration
• SSOexceptions are specified for networks and devices that are not part of the domain, such as guest networks and routers

SSO Agent

• TCP port 4114 is open on the server where you installed the SSO Agent
• For v12.3 or higher of the SSOAgent, Microsoft .NETFramework v4.0 or higher is installed on the server where you installed the SSO Agent
• For SSO Agent versions lower than v12.3, Microsoft .NETFramework v2.0–4.5 must be installed on the server where you install the SSO Agent
• The SSO Agent runs as a user account in the Domain Users security group. Tip! We recommend that you add a user account on your Active Directory server for this purpose, and set the account password to never expire.
  The Domain Users account you select must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information. For security reasons, we recommend that you do not select an account in the Domain Admins security group.
• The SSO Agent is configured correctly

To verify that the SSOAgent is configured correctly:

1. From the Windows Start menu, select All Programs > WatchGuard > Authentication Gateway > SSO Agent.
2. Log in to the SSOAgent. The default user name and password are admin and readwrite.
3. Select Edit >SSOAgent Contacts Settings.
4. Make sure that your preferred SSO method is enabled and set to Priority 1. If you configured a backup SSO method, make sure it is enabled and set to Priority 2.

• TCP port 4116 is open on the computers where you installed the SSO Client
• macOScomputers were added to the Active Directory domain before the SSO Client was installed
• All computers from which users authenticate with SSO are members of the Active Directory domain and have unbroken trust relationships
• All users log in with a domain user account, not a local computer user account. If users log in with a user account that exists only on their local computers, their credentials are not verified, and the Firebox does not recognize that they are logged in.
• The SSO Client is enabled in the SSO Agent settings. To specify the SSO Client as your primary SSOmethod, set it to Priority 1.

• TCPport 4135 is open on the domain controller where the Event Log Monitor is installed
• Event Log Monitor is installed on one domain controller for each Active Directory domain in your network
• Event Log Monitor runs as a user account in the Domain Users security group Tip! We recommend that you add a user account on your Active Directory server for this purpose. We recommend that you set the account password to never expire.
  For security reasons, we recommend that you do not select an account in the Domain Admins security group.
• The Domain Users account you select must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information.
• Event Log Monitor is enabled in the SSO Agent settings. To specify the Event Log Monitor as your primary SSOmethod, set it to Priority 1. To set it as your backup SSO method, set it to Priority 2.
• After you enable audit log messages to be generated for account logon events, the Security Event Log on your Windows computers generate Windows Events 4624 and 4634 after logon and logoff actions
• The Security Event Log file is not full on your Windows computers

To enable audit logs for account logon events:

1. Select Start > Administrative Tools > Group Policy Management.
2. Right-click Default Domain Policy and click Edit.
   The Group Policy Management Editor appears.
3. From Computer Configuration, select Policies > Windows Settings > Security Settings >Local Policies > Audit Policy.
4. Open Audit account logon events.
5. Select the Define these policy settings check box.
6. Select the Success check box.
   To generate additional log messages that can help you to troubleshoot authentication issues, select the Failure check box.
   After you resolve the problem, make sure to clear the Failure check box.
7. Click OK.
8. Force the user computers to get the updated group policy with one of these methods:
   • Run gpupdate locally on the computer, or remotely with the gpupdate /target command.
   • Ask the user to log off and log on again.
   • Restart the user computer.

• TCPport 4136 is open on the server where you installed the Exchange Monitor
• The Exchange Monitor is installed on the same server where your Microsoft Exchange Server is installed
• Exchange Server is configured to generate IIS logs in the W3C Extended log file format, and RPC client access log messages
• Exchange Monitor runs as a user account in the Domain Admins security group
• The Exchange Monitor contact domain is specified in the SSOAgent settings, if the SSO Agent is not installed on your domain controller, or the Exchange Monitor and SSO Agents are installed on different domains
• Exchange Monitor is enabled in the SSO Agent settings. To specify Exchange Monitor as your primary SSOmethod, set it to Priority 1. To set it as your backup SSO method, set it to Priority 2.
• Users launch a mail program before they attempt to get access to the Internet. This generates the IIS log messages on your Exchange Server that the Exchange Monitor requires for SSO.

TCP port 445 (Windows File and Printer Sharing/SMB) is open on all user computers.

To test whether port 445 is open, you can use:

• The SSO Port Tester tool
• A telnet client
  For example, at a Windows command prompt, type telnet x.x.x.x 445. Make sure to replace x.x.x.x with the IPaddress of the user computer.

1. Log in to the SSO Agent Configuration Tool.
2. Select Edit > SSO Agent Contacts Settings.
3. Click Test SSOPort.
   The SSOPort Tester dialog box appears.

4. In the Specify IPAddresses section, select an option:
   • Host IP Address Range
   • Network IP Address
   • Import IP Addresses
5. If you selected Host IP Address Range, in the Host IP Address Range text boxes, type the range of IP addresses to test. To test a single IP address, type the same IP address in both text boxes.
   If you selected Network IP Address, in the Network IP Address text box, type the network IPaddress to test.
   If you selected Import IP Addresses, click and select the plain text file with the list of IPaddresses to test.
6. In the Ports text box, type the port numbers to test.
   To test more than one port, type each port number separated by a comma, without spaces.
7. Click Test.
   The results of the port test appear in the SSO Port Tester window.
8. To save the test results in a log file, click Save log and specify the file name and location to save the log file.
9. To stop the port tester tool process, click Quit.

Access Denied

You can see this error message if:

• There are devices on the network that are not computers, for example, printers and routers
• There are computers or other devices on the network that are not domain members
• A user provided invalid domain credentials for SSO
• The SSO services on the server or computer do not have Admin privileges

To troubleshoot this error message:

• Verify the trust relationship between the domain computer and domain controller is correct. If there is a domain membership issue, remove the computer from the domain and add it to the domain again.
• To confirm that the domain membership issue is resolved, try to connect to a domain member server on your network through a UNCpath.
  For example, if the name of your file server is CompanyShare, at a Windows command prompt type \\CompanyShare. If you cannot get access to this folder, and Windows permissions error messages appear, verify these settings on the Active Directory server: computer settings, user account settings, and the trust relationship.

Unknown User

This error can be caused by:

• Event log files that do not exist or are full
• A computer that is not a domain member
• SSO connection attempts by RDP users when your SSO component software needs to be upgraded
  You must run v11.10 or higher for users to make an RDP connection with SSO.
• Windows Event IDs that are not supported by WatchGuard SSO components
• A user that is not logged in

SMB over TCP port 445 not open on remote server. Check firewall.

TCP port 445 is not open on the user computer, or the service that listens on TCP port 445 did not respond.

Remote host 'x.x.x.x' in logoff status

No user is logged in, or the user who was logged in has started the logoff process.

The network path was not found

There is no route to the host.

1. Open a telnet session and connect to the SSO Agent over port 4114.
2. Type set debug on and press Enter on your keyboard to run the command.
3. Close the telnet session.
4. Go to the relevant directory:
   • C:\Program Files\WatchGuard\WatchGuard Authentication Gateway\
   • C:\Program Files (x86)\WatchGuard\WatchGuard Authentication Gateway\
5. Copy this file to your desktop: wagsrvc.log.
6. Open a telnet session and connect to the SSO Agent over port 4114.
7. Type set debug off and press Enter on your keyboard to run the command.
8. Close the telnet session.

1. Log in to your domain from a client computer.
2. On the client computer, go to the relevant directory:
   • C:\Program Files\WatchGuard\WatchGuard Authentication Client\
   • C:\Program Files (x86)\WatchGuard\WatchGuard Authentication Client\
   • Users\[User Name]\Library\Logs\WatchGuard\SSO Client
3. Copy these files to your desktop:
   • wgssoclient_logfile.log
   • wgssoclient_errorfile.log

1. Open WatchGuard System Manager (WSM)and connect to your Firebox.
2. Start Policy Manager.
3. Select Setup > Logging.
   The Logging Setup dialog box appears.
4. Click Diagnostic Log Level.
   The Diagnostic Log Level dialog box appears.
5. From the category tree, select Authentication.
6. Move the Settings slider to select the Information level.
7. Click OK to close each dialog box.
8. Save the configuration file to your Firebox.
9. Start Firebox System Manager (FSM) for your Firebox.
10. Select the Traffic Monitor tab.
11. With FSM open and the Traffic Monitor tab selected, log in to a computer that has SSO Client installed.
12. This will generate a ADMD log messages that you can see in Traffic Monitor.
13. On the FSMTraffic Monitor tab, in the search text box, type ADMD and from the search options drop-down list, select Filter search results.
14. Traffic Monitor displays only the ADMD log messages.
15. Right-click anywhere on Traffic Monitor and select Copy All.
16. Paste the ADMD log messages in a text file and save the file to your desktop with the name SSO_firewall_logs.txt.
17. Repeat Steps 2–8 to change the Diagnostic Log Level for the Authentication category to the original setting (for example, Error).

1. Open a support incident through the WatchGuard Support Center.
2. If you have not already logged in to the WatchGuard website, you must do so before you can submit an incident.
3. Include these files as attachments:
   • SSO Agent — wagsrvc.log
   • SSO Client — wgssoclient_logfile.log and wgssoclient_errorfile.log
   • Firebox— SSO_firewall_logs.txt