Related Topics
Troubleshoot Single Sign-On (SSO)
After you enable SSO on your Firebox and install and configure the WatchGuard SSO components on your network, if you have problems with your SSO deployment, you can use the information in this topic to review your deployment for configuration errors that might be the cause of the problems.
All SSO Methods
Active Directory
- Your Active Directory server is configured on a trusted or optional network
- All users have a user account on the Active Directory server
Firebox
- Your Firebox is configured to use Active Directory authentication for SSO
- The IP address of the SSO Agent is specified in the Firebox configuration
- SSO exceptions are specified for networks and devices that are not part of the domain, such as guest networks and routers
SSO Agent
- TCP port 4114 is open on the server where you installed the SSO Agent
- Microsoft .NET Framework v2.0 or higher is installed on the server where you installed the SSO Agent
- The SSO Agent runs as a user account in the Domain Users or Domain Admins security group. Tip!We recommend that you add a user account on your Active Directory server for this purpose, and set the account password to never expire.
If the user account is in the Domain Users security group, it must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information. - The SSO Agent is configured correctly
To verify that the SSO Agent is configured correctly:
- From the Windows Start menu, select All Programs > WatchGuard > Authentication Gateway > SSO Agent.
- Log in to the SSO Agent. The default user name and password are admin and readwrite.
- Select Edit > SSO Agent Contacts Settings.
- Make sure that your preferred SSO method is enabled and set to Priority 1. If you configured a backup SSO method, make sure it is enabled and set to Priority 2.
SSO with the SSO Client
- TCP port 4116 is open on the computers where you installed the SSO Client
- Mac OS X computers were added to the Active Directory domain before the SSO Client was installed
- All computers from which users authenticate with SSO are members of the Active Directory domain and have unbroken trust relationships
- All users log in with a domain user account, not a local computer user account. If users log in with a user account that exists only on their local computers, their credentials are not verified, and the Firebox does not recognize that they are logged in.
- The SSO Client is enabled in the SSO Agent settings. To specify the SSO Client as your primary SSO method, set it to Priority 1.
Clientless SSO with Event Log Monitor
- TCP port 4135 is open on the domain controller where the Event Log Monitor is installed
- Event Log Monitor is installed on one domain controller for each Active Directory domain in your network
- Event Log Monitor runs as a user account in the Domain Users or Domain Admins security group Tip!We recommend that you add a user account on your Active Directory server for this purpose. We recommend that you set the account password to never expire.
- If the account is in the Domain Users security group, make sure it has privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information.
- Event Log Monitor is enabled in the SSO Agent settings. To specify the Event Log Monitor as your primary SSO method, set it to Priority 1. To set it as your backup SSO method, set it to Priority 2.
- After you enable audit log messages to be generated for account logon events, the Security Event Log on your Windows computers generate Windows Events 4624 and 4634 after logon and logoff actions
- The Security Event Log file is not full on your Windows computers
To enable audit logs for account logon events:
- Select Start > Administrative Tools > Group Policy Management.
- Right-click Default Domain Policy and click Edit.
The Group Policy Management Editor appears. - From Computer Configuration, select Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
- Open Audit account logon events.
- Select the Define these policy settings check box.
- Select the Success check box.
To generate additional log messages that can help you to troubleshoot authentication issues, select the Failure check box.
After you resolve the problem, make sure to clear the Failure check box. - Click OK.
- Force the user computers to get the updated group policy with one of these methods:
- Run gpupdate locally on the computer, or remotely with the gpupdate /target command.
- Ask the user to log off and log on again.
- Restart the user computer.
Clientless SSO with Exchange Monitor
- TCP port 4136 is open on the server where you installed the Exchange Monitor
- The Exchange Monitor is installed on the same server where your Microsoft Exchange Server is installed
- Exchange Server is configured to generate IIS logs in the W3C Extended log file format, and RPC client access log messages
- Exchange Monitor runs as a user account in the Domain Admins security group
- The Exchange Monitor contact domain is specified in the SSO Agent settings, if the SSO Agent is not installed on your domain controller, or the Exchange Monitor and SSO Agents are installed on different domains
- Exchange Monitor is enabled in the SSO Agent settings. To specify Exchange Monitor as your primary SSO method, set it to Priority 1. To set it as your backup SSO method, set it to Priority 2.
- Users launch a mail program before they attempt to get access to the Internet. This generates the IIS log messages on your Exchange Server that the Exchange Monitor requires for SSO.
Clientless SSO with Active Directory Mode
Active Directory (AD) Mode is a backup SSO method. AD Mode might not operate as expected in some circumstances, and it can introduce security risks. We do not recommend AD Mode as a primary SSO method.
TCP port 445 (Windows File and Printer Sharing/SMB) is open on all user computers.
To test whether port 445 is open, you can use:
- The SSO Port Tester tool
- A telnet client
For example, at a Windows command prompt, type telnet x.x.x.x 445. Make sure to replace x.x.x.x with the IP address of the user computer.
Test the SSO Port Connection
To verify that the SSO Agent can contact the Event Log Monitor and Exchange Monitor over the required ports, you can use the SSO Port Tester tool. This tool tests port connectivity between the server where you installed the SSO Agent, and a:
- Range of IP addresses
- Single IP address
- Specific subnet
- List of specific IP addresses
You must import a text file that includes the IP addresses to test.
- Log in to the SSO Agent Configuration Tool.
- Select Edit > SSO Agent Contacts Settings.
- Click Test SSO Port.
The SSO Port Tester dialog box appears.
- In the Specify IP Addresses section, select an option:
- Host IP Address Range
- Network IP Address
- Import IP Addresses
- If you selected Host IP Address Range, in the Host IP Address Range text boxes, type the range of IP addresses to test. To test a single IP address, type the same IP address in both text boxes.
If you selected Network IP Address, in the Network IP Address text box, type the network IP address to test.
If you selected Import IP Addresses, click and select the plain text file with the list of IP addresses to test. - In the Ports text box, type the port numbers to test.
To test more than one port, type each port number separated by a comma, without spaces. - Click Test.
The results of the port test appear in the SSO Port Tester window. - To save the test results in a log file, click Save log and specify the file name and location to save the log file.
- To stop the port tester tool process, click Quit.
Verify the SSO Software Version
Make sure that you have installed SSO component software v11.10 or higher.
SSO software versions lower than v11.10 do not support:
- Windows Fast User Switching
- RDP for clientless SSO
- SSO authentication over BOVPN
SSO software versions lower than v11.9.3 do not support RDP for the SSO Client.
The versions of the SSO components in your SSO solution do not have to be the same, and they do not have to be the same as the version of Fireware on your Firebox. We recommend that you install the highest available version of the SSO Agent, even if your Firebox runs a lower version of Fireware.
Common Error Messages
Access Denied
You can see this error message if:
- There are devices on the network that are not computers, for example, printers and routers
- There are computers or other devices on the network that are not domain members
- A user provided invalid domain credentials for SSO
- The SSO services on the server or computer do not have Admin privileges
To troubleshoot this error message:
- Verify the trust relationship between the domain computer and domain controller is correct. If there is a domain membership issue, remove the computer from the domain and add it to the domain again.
- To confirm that the domain membership issue is resolved, try to connect to a domain member server on your network through a UNC path.
For example, if the name of your file server is CompanyShare, at a Windows command prompt type \\CompanyShare. If you cannot get access to this folder, and Windows permissions error messages appear, verify these settings on the Active Directory server: computer settings, user account settings, and the trust relationship.
Unknown User
This error can be caused by:
- Event log files that do not exist or are full
- A computer that is not a domain member
- SSO connection attempts by RDP users when your SSO component software needs to be upgraded
You must run v11.10 or higher for users to make an RDP connection with SSO. - Windows Event IDs that are not supported by WatchGuard SSO components
- A user that is not logged in
SMB over TCP port 445 not open on remote server. Check firewall.
TCP port 445 is not open on the user computer, or the service that listens on TCP port 445 did not respond.
Remote host 'x.x.x.x' in logoff status
No user is logged in, or the user who was logged in has started the logoff process.
The network path was not found
There is no route to the host.
See Also
About Active Directory Single Sign-On (SSO)