SSO Agent Issues - NSA3600

Having issues for month now with pockets of users - which can change daily.  Win2k8 R2 mixed with Win2k12R2 DCs.  Setup SSO agent on new HV non-DC. Also setup SSO agent on new DC but disabled per SonicWall.  So only the one SSO agent running.

On a daily basis, I have PCs losing their SSO Agent abilities using the CFS policies.  At each station we have disabled the Windows Firewall, flushed dns, disjoined from domain, you name - we have tried it.  I have a ticket with SonicWall open but not getting really any results to correct.  The PCs having issues receive these errors in the Users Status window:

SSO agent reported: OS error 5: Access denied
SSO agent reported: OS error 53: Network path not found
Agent did not respond
Agent returned no user name

I do have too many DCs right now as I am migrating a few out which means too many DNS servers as well (5).  I don't know how to get those PCs back online with SSO. Windows Firewall was obvious.  Tried opening suggested ports but still failure so disabled totally except Public Network which is still on.  Ideas?
cobmoIT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cobmoIT ManagerAuthor Commented:
SonicWall Firmware
SW Directory Connector
Aaron TomoskyDirector of Solutions ConsultingCommented:
SSO has many methods, one of these is the directory connector which can parse DC logs so all domain joined computers get picked up. In sonicwall user settings does the directory connector show a green dot and on the directory connector vm can you view parses users?
cobmoIT ManagerAuthor Commented:
Yes I had configured 2 sso agents. One on a new HV server and the other on a domain controller.  We disabled the SSO Agent on the domain controller bc tech said I only needed one (I also read not to install on DC).  Even with turning it off it still doesn't work properly with one.  The symptom is that a user is fine one day and then the next day is non-functioning.  And its only a few people so the SSO agent is working and it is using the CFS policies accordingly. It seems like it times out or just cant verify the AD information with the SSO agent.  The server processing is almost nothing and it has tons of RAM.  It leads me to a communication or network issue -or PC.  I was researching and had help from a contractor setting this up and we did not use the LDAP security certificate to import the ldap users (for TLS).  He said that since we were one domain and local it wasn't an issue even though the notification on the SonicWall says it is highly insecure.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Aaron TomoskyDirector of Solutions ConsultingCommented:
Just installing the Sso agent software doesn't do anything, you have to tell it about the sonicwall, put in a shared secret, and tell the sonicwall about it. Then from the sonicwall you can see it's connected and see success and fail stats by hovering over it.
cobmoIT ManagerAuthor Commented:
Oh sure that is all done.  Like I said it is working - partially and not consistent.
Aaron TomoskyDirector of Solutions ConsultingCommented:
On the directory connector, did you put in one DC or more?
cobmoIT ManagerAuthor Commented:
Just 1.
cobmoIT ManagerAuthor Commented:
Should I have all of them on that selection?
cobmoIT ManagerAuthor Commented:
As stated, now that I have the win2k12 domain controllers on board for a month or two, I am now going to demote 2 of the older ones in the next week or so and transfer Roles to the newer server from w2k8 dc.
Aaron TomoskyDirector of Solutions ConsultingCommented:
I think you need both, because if they are at the same site, and you haven't tweaked the priority settings, they load balance. So if a computer uses dc2 to auth but you are only watching dc1, then it won't pick them up.

If you don't share computers, you can also increase the time before "logging off" users. Which basically is just how long the sonicwall remembers a user login.
Aaron TomoskyDirector of Solutions ConsultingCommented:
Also I recommend utilizing the other Sso "agents" like WMI.
cobmoIT ManagerAuthor Commented:
The secondary SSO Agent that is currently disabled is installed on a DC and my research suggests that it is not recommended bc it may be busy doing other domain activities and fail to authorize.  Tech suggested that if I reboot the main SSO Agent that I can flip it on during the process so there wouldn't be any user interference.

The query source on the SSO Agent is set to:
DC Security Log + NetApi + WMI.  Based on SW tech support resolve.

I think you are right on the DCs.  That would make sense plus be sooo incredibly simple. As I move out the old DCs I simply remove from list.

I have adjusted the SSO Agent with all DC IPs and authentication.  Let's see how the next few days play out.
Aaron TomoskyDirector of Solutions ConsultingCommented:
Good to hear. Also do you use radius for wifi auth? One of the side benefits is you can send radius accounting traffic to the sonicwall and get users that way. I had a setup that got android and iOS devices no problem that way. Of course the main selling point is no more wifi psk.
cobmoIT ManagerAuthor Commented:
Not using Radius.  Not offering networked wifi - yet. I will no more tomorrow as people logoff tonite and return tomorrow.  Over the weekend most users shut down so Monday will be a telling day.  I think this is it. Like everything, it's very painful to setup and troubleshoot but the benefits will be worth it.  Many hours on phone with Dell ppl over this.
cobmoIT ManagerAuthor Commented:
Nope.  Two of the users we have had a problem with are stilling having problems this morning.  The errors are:

SSO agent reported: OS error 11: Bad format
Agent did not respond

We have disabled the Windows firewall, Changed dns servers (they have static IPs), disjoined from the network, flushed dns, disabled ipv6 on the adaptor settings, etc.

I just don't know.
Aaron TomoskyDirector of Solutions ConsultingCommented:
Well that's a different error. Do they have alternate upn or something? Anything stand out about these two users? Are they prompted with the sonicwall login page when sso doesn't work?
cobmoIT ManagerAuthor Commented:
SonicWall: "I would suggest to you use the query source as either to NetAPI or WMI, NetAPI will provide faster, though possibly slightly less accurate, performance. WMI will provide slower, though possibly more accurate, performance. WMI is pre-installed on Windows Platforms. Both NetAPI and WMI can be manually downloaded and installed. NetAPI and WMI provide information about users that are logged into a workstation, including domain users, local users, and Windows services. but when you use NetAPI make sure 'File Sharing and Printing Services' should be turned on. And NetBios protocol along with the NetAPI/WMI ports/services should be allowed both inbound and outbound via windows firewall/ AntiVirus Program installed on the client computer.

At times, DC logs may not give accurate results because it totally depends on the updates on the Domain Controller's logging information. Thus, it is recommended to use either NetAPI or WMI."

The PCs in question are located on a different subnet but the firewall is allowing communication.  The issue is only happening to a few PCs at that location - others are fine.  The firewalls have been disabled, the ports open on the firewall to that side, I don't see anything in the AV logs indicating blocks + all the other users use the same ePO settings.  To suggest using NetApi or WMI, I googled to find how to download and install netapi and wmi but there are all Win7 machines and should be fine.  Is this saying I need to install .NET 2.0?  

If I do a NET VIEW \\computer it fails.  Support is not calling back.

Aaron, do you have a solution per SonicWall's statement?  If all were down it would be easier to troubleshoot but on ly about 6 out of 20 machines are at issue.
Aaron TomoskyDirector of Solutions ConsultingCommented:
Windows firewall by default allows some open ports only to "local network" which means the subnet its on. I think this includes the file sharing ones. If you change that manually to any and it works, you probably want to use a gpo to set that.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.