2FA Authentication SSO fails/corrupts cache credentials with Connect Tunnel
03/26/2020 1048 11648
2FA Authentication fails / corrupts cache credentials with connect tunnel client. Here is the setup AD tree and Quest Defender token, SSO (enabled credentials) is enabled at the community level.
The normal procedure to authenticate with this method is to start the CT client, click on connect using the cached credentials, the next prompt is to 'Enter Synchronous Response' from the token client.
Scenario: User connects using two factor token authentication, the computer will enter sleep mode or will turn off. The machine starts up and is logged into, the user starts CT using SSO, clicks connect and immediately is prompted with invalid credentials, if the user attempts a second time to connect they will immediately be prompted again with invalid credentials. f the user enters the client properties and un-checks 'Remember Credential', the user can enter credentials and is prompted next to 'Enter Synchronous Response' from the token client and connects.
*************Snippet of ngutil logs*************
07:29:55.843 D SaveCredentials CredWrite<0xff1fe000> CredDelete<0xff1f0830> 07:29:55.843 D SaveCredentials CryptProtectData size<170> 07:29:55.843 D SaveCredentials CredWrite UserNameCredName 07:29:55.843 D S-Route[188.8.131.52/255.255.255.255]M[0x1392] 07:29:55.843 D S-Range[184.108.40.206 - 220.127.116.11 -> [10.16.160.5 - 10.16.160.5] 07:29:55.843 D SaveCredentials CredWrite Done
SonicWall Engineering identified the root casue and will be fixed in a hotfix, same changes will be pushed to 11.2.0 and 11.3.0 firmware versions. Refer 10.7.2 hotfix set.