Troubleshooting Single Sign-on (SSO) related errors

12/06/2021 2,115 People found this article helpful 226,922 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

This article guides you to significantly reduce and troubleshoot Single Sign-On (SSO) agent related errors reported under Logs and TSR (Tech Support Report).

Resolution

Below is a screenshot of the Enforcement tab on the SSO configuration properties dialog box. Is accessed from Manage| Users |Settings| Configure SSO.

• Under Enforcement in SSO Bypass  you can bypass SSO and allow services, hosts, networks or range of IPs to send their traffic through the SonicWall without having to go through user authentication via SSO. This is vital for devices who do not require user authentication via SSO such as Macintosh Apple Computers, iPads, Printers and Smart phones or Servers that do not run with a logged in user.
  
  
  

• User names used by Windows services: Programs such as a video card software.
  EXAMPLE: NVIDIA's Update, can cause issues and need to be bypassed from SSO agent in the option shown below.

Troubleshooting Errors:

One of the first step in getting down to reducing the SSO Errors and connection issues is to pull a TSR and take a look at the IPs that are giving errors.

EXAMPLES: 

• Probing failed: This is typically caused by Windows firewall or another 3rd party firewall or anything that would be blocking as the probe is coming from the SonicWall itself to check if the ports are open for selected query type before sending it to the SSO Agent.
  
  
• Agent did not respond: This error is self-explanatory, the SSO Agent did not respond to the SonicWall query for information on the IP.
  • Confirm agent is not installed on the AD server as typically AD has to process other requests and could lead to performance issues. With this error you may want to consider adding another Agent depending on the amount of users being queried for SSO Authentication.
    
    
• SSO agent reported: OS Error -21477217406: This error is typically caused by a WMI failure.
  When no user os logged in, WMI gets a response as "getFields failed" which is represented by SonicOS as a negative number.
  • This is not indicative of a user identification failure. NetAPI alone can be used in this scenario to avoid this error.
    
    
• Error: Error(51) Unknown Error: This error usually means the IP address is a Windows machine, but access to TCP 445 (part of File & Print sharing) is blocked.
  • Usually error 51 is caused by Windows firewall or another 3rd party firewall or anything that would be blocking File and Print Sharing.
    
    
• Agent reported error - OS error [53] Network path not found: This error could be due to:
  • the unit is not a Windows PC
  • If the IP showing this error is a Windows PC then:
    • check if any Windows Firewall, Defender or any Anti-virus software may be blocking the query.
    • Confirm that File and Print Sharing is enabled on the Windows PC. 
      
      
• Agent reported error - OS error [5]: Access denied: This is often an SSO agent service error as it may not be running under domain admin or do not have the admin rights.
  This can happens if the password was set to expire on the account that is running these services, and the password has expired).
  To troubleshoot error 5 on the SSO agent, check the following:
  • Check the SSO agent service logon account. This must be a domain administrator, and it must have password never expired enabled and excluded from any password policy
  • Logon to the agent machine as the domain administrator account assigned to the SSO service and run a net view \IP from command prompt of the machine you are trying to authenticate. If no error displays, then it means the SSO agent is resolving the name properly.
  • If the above two steps did not lead you to any resolution, check the target computer for software firewalls in the anti-virus programs.
    For example, Trend Micro has a software firewall that will cause this specific error rather than error 51.
    
    

    TIP: SSO Agent and Ports: NetAPI Ports = 445 and 139 & WMI = 1726 and 135 SSO Agent Default Port = 2258 & TSA Agent Default Port = 2259.

NOTE: Error 51, 53, 21477217406 are usually client related errors and need to be troubleshooted on the clients. Error 5 may be a SSO Agent Service error and it may need to be troubleshooted on the Server on which the SSO Service is running.

Related Articles

• Bandwidth usage and tracking in SonicWall
• How to force an update of the Security Services Signatures from the Firewall GUI
• Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

Categories

• Firewalls > TZ Series > User Login
• Firewalls > SonicWall SuperMassive 9000 Series > User Login
• Firewalls > NSa Series > User Login
• Firewalls > NSv Series > User Login