Sonicwall SSO Agent Frequently Stops on Windows 2008 R2 server

K_Wilke
K_Wilke used Ask the Experts™
on
Hello all,
I have a client that has a Sonicwall firewall.  It has the SSO agent on a WIndows 2008 R2 server that works great until it stops (which is frequently) then my client has to go into Services and restart the agent.
This happens several times a day.
What can we do to fix this one?
Thanks,
Kelly W.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Scott SilvaNetwork Administrator

Commented:
You can set services to auto restart...
Open the services msc..
Go to the service in question
Right click and go to properties

On the recovery tab you can set the recovery options as needed.

Author

Commented:
Great idea and will try it.
But shouldn't there be sometime of fix for this?
Last Knight
Distinguished Expert 2018
Commented:
Hi K_Wilke,

The SonicWALL SSO Agent only communicates with clients and the SonicWALL security appliance. SonicWALL SSO Agent uses a shared key for encryption of messages between the SSO Agent and the SonicWALL security appliance. The shared key is generated in the SSO Agent and the key entered in the SonicWALL security appliance during SSO configuration must match the SSO Agent-generated key exactly. Make sure the keys match!

SSO Bypass Group.
Have you setup a SSO Bypass Group for servers and network devices so that they don't fail authentication since they shouldn't require it anyway?

When SSO fails to authenticate a device, which is very common for servers and other network appliances that do not normally require authentication to the firewall, a device is put on a time out delay. All connections from that device are held/dropped until either that time out has passed or the device successfully authenticates. This time out is configurable, and by default is 1 minute in the current firmware. Furthermore, once a device has been timed out the SonicWALL will reattempt the authentication again 1 minute later causing a repetitive failure cycle where web browsing can be very slow or function in quick bursts.

On the SSO configuration page, there is an option on the Enforcement Tab for Exclusions. Any device which is not going to respond to the SSO agent, such as Server, Routers, Printers, VoIP Phones, iPads, Smartphones, etc. should be identified and excluded from the SSO process...this is vital for devices who do not require user authentication via SSO. This will also reduce the workload on your SonicWALL and improve performance for the devices in question.

Logging.
What is the log showing in the SonicWALL and in the Windows Log of the server, which hosts the SSO Agent?

The SonicWALL SSO Agent sends log event messages to the Windows Event Log based on administrator-selected logging levels.

The SonicWALL security appliance also logs SSO Agent-specific events in its event log. The following is a list of SSO Agent-specific log event messages from the SonicWALL security appliance:
• User login denied - not allowed by policy rule: The user has been identified and does not belong to any user groups allowed by the policy blocking the user’s traffic.

• User login denied - not found locally: The user has not been found locally, and Allow only users listed locally is selected in the SonicWALL security appliance.
• User login denied - SSO Agent agent timeout: Attempts to contact the SonicWALL SSO Agent have timed out.
• User login denied - SSO Agent configuration error: The SSO Agent is not properly configured to allow access for this user.
• User login denied - SSO Agent communication problem: There is a problem communicating with the workstation running the SonicWALL SSO Agent.
• User login denied - SSO Agent agent name resolution failed: The SonicWALL SSO Agent is unable to resolve the user name.
• SSO Agent returned user name too long: The user name is too long.
• SSO Agent returned domain name too long: The domain name is too long.

Note: The notes field of log messages specific to the SSO Agent will contain the text , authentication by SSO Agent.

Also, SonicWALL SSO agent tries to identify the logged in user by querying the workstations using NETAPI or WMI protocols. NETAPI and WMI require "file & print sharing" enabled on the end workstations. So make sure it is not a Windows firewall setting.

Finally, pull a TSR (Tech Support Report) and take a look at the IPs that are giving errors.

Examples of the most common errors:

Probing failed:  This is typically caused by Windows firewall or another 3rd party firewall or anything that would be blocking as the probe is coming from the SonicWALL itself to check if the ports are open for selected query type before sending it to the SSO Agent.

Agent did not respond: This error is self-explanatory, the SSO Agent did not respond to the SonicWALL query for information on the IP. Confirm agent is not installed on the AD server as typically AD has to process other requests and could lead to performance issues. (With this error you may want to consider adding another Agent depending on the amount of users being queried for SSO Authentication).

Error: Error(51) Unknown Error: This error usually means the IP address is a windows machine, but access to TCP 445 (part of File & Print sharing) is blocked. Usually error 51 is caused by Windows firewall or another 3rd party firewall or anything that would be blocking File and Print Sharing.

Agent reported error - OS error [53] Network path not found: This error could be due to, the unit is not a Windows PC,  the IP that is showing this error is  a  live Windows PC then we can look at Windows Firewall, Defender or any Anti-virus software that may be blocking the query. We would also want to confirm that File and Print Sharing is enabled on the Windows PC.

Agent reported error - OS error [5]: Access denied: This is often due to the SSO agent service is not running under domain admin or do not have the admin rights. (This can happens if the password was set to expire on the account that is running these services, and the password has expired). To troubleshoot error 5 on the SSO agent, check the following:
1) Check the SSO agent service logon account. This must be a domain administrator, and it must have password never expired enabled and excluded from any password policy.

2) Logon to the agent machine as the domain administrator account assigned to the SSO service and run a net view \\IP from command prompt of the machine you are trying to authenticate. If no error displays, then it means the SSO agent is resolving the name properly.

3) If the above two steps did not lead you to any resolution, check the target computer for software firewalls in the anti-virus programs. For example, Trend Micro has a software firewall that will cause this specific error rather than error 51.

SSO Agent and Ports: NetAPI Ports = 445 and 139 & WMI = 1726 and 135   SSO Agent Default Port = 2258 & TSA Agent Default Port = 2259

Let me know how it goes!

Author

Commented:
Thank you very much

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial