asked on
Sonicwall SSO Agent accuracy for multiple users sharing PC.
Hi,
We currently have a NSA 240 running 5.9.0.4-127o with SSO agents running Directory Connector 3.6.56. The problem we have is when user A logs off a PC and user B logs in, the sonicwall still has the active session of user A. User B then also has the CFS policy assigned to user A. We are using NetAPI for the query source which seems to be the most accurate in my tests using the Directory Connector Diag tool, even though it says its supposed to be the least accurate. If I kill the users session in the sonicwall the new users CFS policy is correctly identified but this would be a hassle to manage.
Has anyone had a better experience using WMI or DC logs when multiple users share a PC with different CFS policies?
Thanks in advance.
We currently have a NSA 240 running 5.9.0.4-127o with SSO agents running Directory Connector 3.6.56. The problem we have is when user A logs off a PC and user B logs in, the sonicwall still has the active session of user A. User B then also has the CFS policy assigned to user A. We are using NetAPI for the query source which seems to be the most accurate in my tests using the Directory Connector Diag tool, even though it says its supposed to be the least accurate. If I kill the users session in the sonicwall the new users CFS policy is correctly identified but this would be a hassle to manage.
Has anyone had a better experience using WMI or DC logs when multiple users share a PC with different CFS policies?
Thanks in advance.
Networking Hardware-OtherNetwork Security
Last Comment
gheist
you can have user logout script that logs them out from soncwall
Shouldnt the logoff of user from machine also consider session as logoff. I was seeing this below on the SSO configuration and supposedly
There is a CleWMI vbs that can query current login user but not sure that can help to officiate log off or remap policy. For shared PC, it is not recommended to hold active session once user logoff.
https://support.software.dell.com/kb/sw7363
(more WMI query) http://msdn.microsoft.com/en-us/library/aa394586(v=vs.85).aspx
I also understand there is polling time to poll the workstation running SSO Agent to verify that users are still logged on. Wondering if there are a timeout for inactive session to terminate session though
https://support.software.dell.com/kb/sw5952
Log out from the windows domain computer and log in back with a user from either the full access or restricted access groups and check whether the policy is getting enforced correctly for the user.https://support.software.dell.com/kb/sw7782
There is a CleWMI vbs that can query current login user but not sure that can help to officiate log off or remap policy. For shared PC, it is not recommended to hold active session once user logoff.
https://support.software.dell.com/kb/sw7363
(more WMI query) http://msdn.microsoft.com/en-us/library/aa394586(v=vs.85).aspx
I also understand there is polling time to poll the workstation running SSO Agent to verify that users are still logged on. Wondering if there are a timeout for inactive session to terminate session though
https://support.software.dell.com/kb/sw5952
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
If you use the directory connector (which I highly recommend) it has a refresh time
http://help.mysonicwall.com/sw/eng/6931/ui2/25500/PANEL_ssoProps.html
http://help.mysonicwall.com/sw/eng/6931/ui2/25500/PANEL_ssoProps.html
ASKER
Well I ended up calling support and when they dialed in we could not get the SSO to fail. After one minute, which is the polling rate the SSO would identify the new user and the CFS policy would change. Although I still had the same problem occur a few weeks later where the SSO would test correctly but the sonicwall would not release the current users session. So unfortunately I never came to a solid conclusion. Thanks for the replies.
So for some reason polling is stopped at some moment? Power saving? clock adjustments...