Troubleshooting SSO Agent related errors

12/20/2019 1884 39801

DESCRIPTION:

This article guides you to significantly reduce and troubleshoot SSO agent related errors reported under Logs and TSR (Tech Support Report) of UTM devices.

RESOLUTION:

Below is a screenshot of the Enforcement tab on the SSO configuration properties dialog box. Is accessed from Manage| Users |Settings| Configure SSO.

Under Enforcement in SSO Bypass  you can bypass SSO and allow services, hosts, networks or range of IPs to send their traffic through the SonicWall without having to go through user authentication via SSO. This is vital for devices who do not require user authentication via SSO such as Macintosh Apple Computers, iPads, Printers and Smart phones or Servers that do not run with a logged in user.

User names used by Windows services: Programs such as a video card software.

EXAMPLE: NVIDIA's Update, can cause issues and need to be bypassed from SSO agent in the option shown below.

Troubleshooting Errors:

One of the first step in getting down to reducing the SSO Errors and connection issues is to pull a TSR and take a look at the IPs that are giving errors.

EXAMPLES: 

• Probing failed: This is typically caused by Windows firewall or another 3rd party firewall or anything that would be blocking as the probe is coming from the SonicWall itself to check if the ports are open for selected query type before sending it to the SSO Agent.
• Agent did not respond: This error is self-explanatory, the SSO Agent did not respond to the SonicWall query for information on the IP. Confirm agent is not installed on the AD server as typically AD has to process other requests and could lead to performance issues. (With this error you may want to consider adding another Agent depending on the amount of users being queried for SSO Authentication).
• SSO agent reported: OS Error -21477217406: This error is typically caused by a WMI failure. When no user os logged in, WMI gets a response as "getFields failed" which is represented by SonicOS as a negative number. This is not indicative of a user identification failure. NetAPI alone can be used in this scenario to avoid this error.
• Error: Error(51) Unknown Error: This error usually means the IP address is a windows machine, but access to TCP 445 (part of File & Print sharing) is blocked. Usually error 51 is caused by Windows firewall or another 3rd party firewall or anything that would be blocking File and Print Sharing.
• Agent reported error - OS error [53] Network path not found: This error could be due to, the unit is not a Windows PC, the IP that is showing this error is a live Windows PC then we can look at Windows Firewall, Defender or any Anti-virus software that may be blocking the query. We would also want to confirm that File and Print Sharing is enabled on the Windows PC. 
• Agent reported error - OS error [5]: Access denied: This is often due to the SSO agent service is not running under domain admin or do not have the admin rights. (This can happens if the password was set to expire on the account that is running these services, and the password has expired). To troubleshoot error 5 on the SSO agent, check the following:

1.  Check the SSO agent service logon account. This must be a domain administrator, and it must have password never expired enabled and excluded from any password policy.
2. Logon to the agent machine as the domain administrator account assigned to the SSO service and run a net view \IP from command prompt of the machine you are trying to authenticate. If no error displays, then it means the SSO agent is resolving the name properly.
3. If the above two steps did not lead you to any resolution, check the target computer for software firewalls in the anti-virus programs. For example, Trend Micro has a software firewall that will cause this specific error rather than error 51.
   
   

   TIP: SSO Agent and Ports: NetAPI Ports = 445 and 139 & WMI = 1726 and 135 SSO Agent Default Port = 2258 & TSA Agent Default Port = 2259.