Troubleshoot Active Directory SSO
If you have problems with your Active Directory SSO deployment, you can use the information in this topic to review your deployment for configuration issues.
Verify the SSO Component Configuration
Active Directory
- Your Active Directory server is configured on a trusted or optional network
- All users have a user account on the Active Directory server
Firebox
- Your Firebox is configured to use Active Directory authentication for SSO
- The IP address of the SSO Agent is specified in the Firebox configuration
- SSO exceptions are specified for networks and devices that are not part of the domain, such as guest networks and routers
SSO Agent
- TCP port 4114 is open on the server where you installed the SSO Agent
- For v12.3 or higher of the SSO Agent, Microsoft .NET Framework v4.0 or higher is installed on the server where you installed the SSO Agent
- For SSO Agent versions lower than v12.3, Microsoft .NET Framework v2.0–4.5 must be installed on the server where you install the SSO Agent
- The SSO Agent runs as a user account in the Domain Users security group. Tip!
The Domain Users account you select must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information. For security reasons, we recommend that you do not select an account in the Domain Admins security group. - The SSO Agent is configured correctly
To verify that the SSO Agent is configured correctly:
- From the Windows Start menu, select All Programs > WatchGuard > Authentication Gateway > SSO Agent.
- Log in to the SSO Agent. The default user name and password are admin and readwrite.
- Select Edit > SSO Agent Contacts Settings.
- Make sure that your preferred SSO method is enabled and set to Priority 1. If you configured a backup SSO method, make sure it is enabled and set to Priority 2.
- TCP port 4116 is open on the computers where you installed the SSO Client
- macOS computers were added to the Active Directory domain before the SSO Client was installed
- All computers from which users authenticate with SSO are members of the Active Directory domain and have unbroken trust relationships
- All users log in with a domain user account, not a local computer user account. If users log in with a user account that exists only on their local computers, their credentials are not verified, and the Firebox does not recognize that they are logged in.
- The SSO Client is enabled in the SSO Agent settings. To specify the SSO Client as your primary SSO method, set it to Priority 1.
- TCP port 4135 is open on the domain controller where the Event Log Monitor is installed
- Event Log Monitor is installed on one domain controller for each Active Directory domain in your network
- Event Log Monitor runs as a user account in the Domain Users security group Tip!
For security reasons, we recommend that you do not select an account in the Domain Admins security group. - The Domain Users account you select must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information.
- Event Log Monitor is enabled in the SSO Agent settings. To specify the Event Log Monitor as your primary SSO method, set it to Priority 1. To set it as your backup SSO method, set it to Priority 2.
- After you enable audit log messages to be generated for account logon events, the Security Event Log on your Windows computers generate Windows Events 4624 and 4634 after logon and logoff actions
- The Security Event Log file is not full on your Windows computers
To enable audit logs for account logon events:
- Select Start > Administrative Tools > Group Policy Management.
- Right-click Default Domain Policy and click Edit.
The Group Policy Management Editor appears. - From Computer Configuration, select Policies > Windows Settings > Security Settings > Local Policies > Audit Policy.
- Open Audit account logon events.
- Select the Define these policy settings check box.
- Select the Success check box.
To generate additional log messages that can help you to troubleshoot authentication issues, select the Failure check box.
After you resolve the problem, make sure to clear the Failure check box. - Click OK.
- Force the user computers to get the updated group policy with one of these methods:
- Run gpupdate locally on the computer, or remotely with the gpupdate /target command.
- Ask the user to log off and log on again.
- Restart the user computer.
- TCP port 4136 is open on the server where you installed the Exchange Monitor
- The Exchange Monitor is installed on the same server where your Microsoft Exchange Server is installed
- Exchange Server is configured to generate IIS logs in the W3C Extended log file format, and RPC client access log messages
- Exchange Monitor runs as a user account in the Domain Admins security group
- The Exchange Monitor contact domain is specified in the SSO Agent settings, if the SSO Agent is not installed on your domain controller, or the Exchange Monitor and SSO Agents are installed on different domains
- Exchange Monitor is enabled in the SSO Agent settings. To specify Exchange Monitor as your primary SSO method, set it to Priority 1. To set it as your backup SSO method, set it to Priority 2.
- Users launch a mail program before they attempt to get access to the Internet. This generates the IIS log messages on your Exchange Server that the Exchange Monitor requires for SSO.
Active Directory (AD) Mode is a backup SSO method. AD Mode might not operate as expected in some circumstances, and it can introduce security risks. We do not recommend AD Mode as a primary SSO method.
TCP port 445 (Windows File and Printer Sharing/SMB) is open on all user computers.
To test whether port 445 is open, you can use:
- The SSO Port Tester tool
- A telnet client
For example, at a Windows command prompt, type telnet x.x.x.x 445. Make sure to replace x.x.x.x with the IP address of the user computer.
Test the SSO Port Connection
To verify that the SSO Agent can contact the Event Log Monitor and Exchange Monitor over the required ports, you can use the SSO Port Tester tool. This tool tests port connectivity between the server where you installed the SSO Agent, and a:
- Range of IP addresses
- Single IP address
- Specific subnet
- List of specific IP addresses
You must import a text file that includes the IP addresses to test.
- Log in to the SSO Agent Configuration Tool.
- Select Edit > SSO Agent Contacts Settings.
- Click Test SSO Port.
The SSO Port Tester dialog box appears.
- In the Specify IP Addresses section, select an option:
- Host IP Address Range
- Network IP Address
- Import IP Addresses
- If you selected Host IP Address Range, in the Host IP Address Range text boxes, type the range of IP addresses to test. To test a single IP address, type the same IP address in both text boxes.
If you selected Network IP Address, in the Network IP Address text box, type the network IP address to test.
If you selected Import IP Addresses, click and select the plain text file with the list of IP addresses to test. - In the Ports text box, type the port numbers to test.
To test more than one port, type each port number separated by a comma, without spaces. - Click Test.
The results of the port test appear in the SSO Port Tester window. - To save the test results in a log file, click Save log and specify the file name and location to save the log file.
- To stop the port tester tool process, click Quit.
Verify the SSO Software Version
Make sure that you have installed SSO component software v11.10 or higher.
SSO software versions lower than v11.10 do not support:
- Windows Fast User Switching
- RDP for clientless SSO
- SSO authentication over BOVPN
SSO software versions lower than v11.9.3 do not support RDP for the SSO Client.
Fireware and SSO software versions lower than v12.2 do not support SSO configurations with multiple SSO Agents.
The versions of the SSO components in your SSO solution do not have to be the same, and they do not have to be the same as the version of Fireware on your Firebox. We recommend that you install the highest available version of the SSO Agent, even if your Firebox runs a lower version of Fireware.
SSO Agent v12.5.4 supports Fireware v12.5.4 or higher only. Before you install SSO Agent v12.5.4, you must upgrade the Firebox to Fireware v12.5.4 or higher. If you install SSO Agent v12.5.4, we recommend that you upgrade all SSO Clients to v12.5.4.
You cannot use SSO Client v12.5.4 with versions of the SSO Agent lower than v12.5.4. Fireware v12.5.4 supports previous versions of the SSO Agent.
Verify Your Network Configuration
After you confirm that SSO is installed and configured correctly, complete these steps:
- Make sure the SSO Agent and each SSO Client service is started.
- On the computer where the service is installed, select Start > Run > Services.msc.
- In the Status column, verify Started appears.
- Verify that the client computer is on the correct domain.
- Verify that the individual user has logged on to the domain, and not to the local computer account.
- Verify the Active Directory group used for SSO authentication is a security group and not a distribution group. Active Directory distribution groups do not work with SSO.
Common Error Messages
Access Denied
You can see this error message if:
- There are devices on the network that are not computers, for example, printers and routers
- There are computers or other devices on the network that are not domain members
- A user provided invalid domain credentials for SSO
- The SSO services on the server or computer do not have Admin privileges
To troubleshoot this error message:
- Verify the trust relationship between the domain computer and domain controller is correct. If there is a domain membership issue, remove the computer from the domain and add it to the domain again.
- To confirm that the domain membership issue is resolved, try to connect to a domain member server on your network through a UNC path.
For example, if the name of your file server is CompanyShare, at a Windows command prompt type \\CompanyShare. If you cannot get access to this folder, and Windows permissions error messages appear, verify these settings on the Active Directory server: computer settings, user account settings, and the trust relationship.
Unknown User
This error can be caused by:
- Event log files that do not exist or are full
- A computer that is not a domain member
- SSO connection attempts by RDP users when your SSO component software needs to be upgraded
You must run v11.10 or higher for users to make an RDP connection with SSO. - Windows Event IDs that are not supported by WatchGuard SSO components
- A user that is not logged in
SMB over TCP port 445 not open on remote server. Check firewall.
TCP port 445 is not open on the user computer, or the service that listens on TCP port 445 did not respond.
Remote host 'x.x.x.x' in logoff status
No user is logged in, or the user who was logged in has started the logoff process.
The network path was not found
There is no route to the host.
Get Log Files and Contact Technical Support
If these troubleshooting steps did not resolve the issue, collect log files and contact WatchGuard Technical Support.
- From the SSO Agent computer, open a telnet session and connect to the SSO Agent over port 4114.
- Type login admin readwrite, where admin readwrite is the user name and password for the account.
- To enable debug mode, run the +set debug on command.
- Close the telnet session.
- From the SSO Client computer, log in to your domain.
Note the time of your login. - Go to the relevant directory:
- For 32-bit systems: C:\Program Files\WatchGuard\WatchGuard Authentication Gateway\
- For 64-bit systems: C:\Program Files (x86)\WatchGuard\WatchGuard Authentication Gateway\
- Locate and copy the wagsrvc_critical.log file to your desktop.
- From the SSO Agent computer, open a telnet session and connect to the SSO Agent over port 4114.
- Type login admin readwrite, where admin readwrite is the user name and password for the account.
- To disable debug mode, run the +set debug off command.
- Close the telnet session.
- Log in to your domain from a client computer.
- On the client computer, go to the relevant directory:
- For 32-bit systems: C:\Program Files\WatchGuard\WatchGuard Authentication Client\
- For 64-bit systems: C:\Program Files (x86)\WatchGuard\WatchGuard Authentication Client\
- Locate and copy these files to your desktop:
- wgssoclient_logfile.log
- wgssoclient_errorfile.log
- Open WatchGuard System Manager (WSM) and connect to your Firebox.
- Start Policy Manager.
- Select Setup > Logging.
The Logging Setup dialog box appears. - Click Diagnostic Log Level.
The Diagnostic Log Level dialog box appears. - From the category tree, select Authentication.
- Move the Settings slider to select the Information level.
- Click OK to close each dialog box.
- Save the configuration file to your Firebox.
- Start Firebox System Manager (FSM) for your Firebox.
- Select the Traffic Monitor tab.
- With FSM open and the Traffic Monitor tab selected, log in to a computer that has SSO Client installed.
- This will generate a ADMD log messages that you can see in Traffic Monitor.
- On the FSM Traffic Monitor tab, in the search text box, type ADMD and from the search options drop-down list, select Filter search results.
- Traffic Monitor displays only the ADMD log messages.
- Right-click anywhere on Traffic Monitor and select Copy All.
- Paste the ADMD log messages in a text file and save the file to your desktop with the name SSO_firewall_logs.txt.
- Repeat Steps 2–8 to change the Diagnostic Log Level for the Authentication category to the original setting (for example, Error).
- Open a support incident through the WatchGuard Support Center.
- If you have not already logged in to the WatchGuard website, you must do so before you can submit an incident.
- Include these files as attachments:
- SSO Agent — wagsrvc.log
- SSO Client — wgssoclient_logfile.log and wgssoclient_errorfile.log
- Firebox — SSO_firewall_logs.txt
How Active Directory SSO Works
Example Network Configurations for Active Directory SSO