Sonicwall SSO issues

Hello Experts,  

I have had issues for about a month now and I am grasping as straws here..  I have about 200 users and about 10 of them every morning have the firewall blocking them from getting to any websites (different users sometimes but mostly the same few running different versions of windows, 7, 8.1, and 10).  I go in and check the user status and I find them in the "Unauthenticated users" section and have this error:  Agent returned no user name
I can do a test via DC logs and Netapi/WMI and it always comes back fine.  After about 2 hours the user will "magically" pop into the firewall via SSO and be able to browse once again.

Now for the things I have done:  Updated both agents.  Created a new agent on a new server.  ( I have 2 agents )  Ran tests to verify DC logs, Netapi, wmi were all working when testing against the IP address of machine.  Turned local firewall rules on our domain network OFF via GPO.  

Sonicwall support has been ZERO help.  We have called them at least 5-6 times. Any help is appreciated.
David TSACAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

J SpoorTME / Network Security EvangelistCommented:
are you using SSO agent 3.x or 4.x?
Please make sure you are running latest 4.x version. Also inside the agent is an option somewhere to preserve the users during a reboot.
it also sounds like your machines might be generating some traffic before an actual user is logged in.
You might want to identify this traffic and exclude it from SSO to prevent these No User found.

These affected users, are they "roaming" users? as in are they moving a lot from wired to wireless connection?
David TSACAuthor Commented:
SonicWall Directory Connector version 3.7.30   - first one
Version 4.0.29 - second agent
Preserve users during restart is enabled on both.
They are not changing network connections, at least 90% are not.  They are mostly kept at their desks.
J SpoorTME / Network Security EvangelistCommented:
what user are you using as a service user (service log on as)?

In some cases the agent uses WMI instead of NetAPI, WMI is a pain when the user does not have local admin privileges (local as in the machine it is polling).

I also suggest you try without the 3.x agent and just use the 4.x agent, to see which of the agents is causing the issue.

On the firewall, in the SSO settings do you have "Probe users for" enabled?

usually no user can mean a few things
1) issues with the DC logs
2) the laptop doesn't have a logged in user when being polled, this due to the laptop generating traffic before a user is logged in.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

J SpoorTME / Network Security EvangelistCommented:
especially the 3.x agent can have some issues when it's dealing with too many NetAPI / WMI queries simultaneously, especially when it's trying to probe non windows machines...

Not sure how much equipment and non windows users you have, but it's best to try to exclude these from the SSO process
David TSACAuthor Commented:
Service logon is Domain\SonicwallSSO
We use DC logs, netapi and wmi in that order to authenticate them.
I will try the newer agent when we all come back from break, on Jan 2nd 2018
We do not have any non-windows machines. we have about 250 computers mostly desktops.

Thank you for your help I will update you when we test the newer agent
J SpoorTME / Network Security EvangelistCommented:
What privileges does SonicwallSSO user have?

Please follow this document 

to set the correct privileges on each DC, and use a GPO to make the SonicwallSSO user a member of the built-in admin account on the end user workstations.

Using a non-admin account is tricky...
J SpoorTME / Network Security EvangelistCommented:
also make sure that both SSO agents point to ALL Domain Controllers you have.
As domain controllers do not synchronize their security logs.
David TSACAuthor Commented:
Sonicwall SSO user is a service account.  The only rights it has is what a standard service account would have.  We are also seeing some of the people return errors saying, OS error 11: bad format.  They point to all the domain controllers.  If it were a permissions issue it would not be a hit or miss issue..
David TSACAuthor Commented:
Also this is happening at our other location, which has its own internet circuit and firewall.  They are connected to us via VPN.
David TSACAuthor Commented:
Currently I am testing the newest Agent on our 2016 Server.  I have disabled the Agent on the 2008 r2 box.
David TSACAuthor Commented:
Found the solution:  We were actually experiencing two issues.  First issue was the local windows firewall.  Even though it is set to OFF via GPO, the file and printer sharing + WMI inbound rules for the domain network were still interfering with some users.  This caused the " Agent did not return user " 
Secondly,  the DC logs were stale and since our DHCP addresses expire in 7 days, over the holiday break a lot of people ended up with the wrong usernames associated with their IP addresses.  I had to turn off DC logs on both agents and am now running WMI.  I believe this fixed all of our issues but only time will tell.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.