Link to home
Start Free TrialLog in
Avatar of David TSAC
David TSAC

asked on

Sonicwall SSO issues

Hello Experts,  

I have had issues for about a month now and I am grasping as straws here..  I have about 200 users and about 10 of them every morning have the firewall blocking them from getting to any websites (different users sometimes but mostly the same few running different versions of windows, 7, 8.1, and 10).  I go in and check the user status and I find them in the "Unauthenticated users" section and have this error:  Agent returned no user name
I can do a test via DC logs and Netapi/WMI and it always comes back fine.  After about 2 hours the user will "magically" pop into the firewall via SSO and be able to browse once again.

Now for the things I have done:  Updated both agents.  Created a new agent on a new server.  ( I have 2 agents )  Ran tests to verify DC logs, Netapi, wmi were all working when testing against the IP address of machine.  Turned local firewall rules on our domain network OFF via GPO.  

Sonicwall support has been ZERO help.  We have called them at least 5-6 times. Any help is appreciated.
Avatar of J Spoor
J Spoor
Flag of Netherlands image

are you using SSO agent 3.x or 4.x?
Please make sure you are running latest 4.x version. Also inside the agent is an option somewhere to preserve the users during a reboot.
it also sounds like your machines might be generating some traffic before an actual user is logged in.
You might want to identify this traffic and exclude it from SSO to prevent these No User found.

These affected users, are they "roaming" users? as in are they moving a lot from wired to wireless connection?
Avatar of David TSAC
David TSAC

ASKER

SonicWall Directory Connector version 3.7.30   - first one
Version 4.0.29 - second agent
Preserve users during restart is enabled on both.
They are not changing network connections, at least 90% are not.  They are mostly kept at their desks.
what user are you using as a service user (service log on as)?

In some cases the agent uses WMI instead of NetAPI, WMI is a pain when the user does not have local admin privileges (local as in the machine it is polling).

I also suggest you try without the 3.x agent and just use the 4.x agent, to see which of the agents is causing the issue.

On the firewall, in the SSO settings do you have "Probe users for" enabled?

usually no user can mean a few things
1) issues with the DC logs
2) the laptop doesn't have a logged in user when being polled, this due to the laptop generating traffic before a user is logged in.
especially the 3.x agent can have some issues when it's dealing with too many NetAPI / WMI queries simultaneously, especially when it's trying to probe non windows machines...

Not sure how much equipment and non windows users you have, but it's best to try to exclude these from the SSO process
Service logon is Domain\SonicwallSSO
We use DC logs, netapi and wmi in that order to authenticate them.
I will try the newer agent when we all come back from break, on Jan 2nd 2018
We do not have any non-windows machines. we have about 250 computers mostly desktops.

Thank you for your help I will update you when we test the newer agent
What privileges does SonicwallSSO user have?

Please follow this document
https://www.sonicwall.com/en-us/support/knowledge-base/171004124849942 

to set the correct privileges on each DC, and use a GPO to make the SonicwallSSO user a member of the built-in admin account on the end user workstations.

Using a non-admin account is tricky...
also make sure that both SSO agents point to ALL Domain Controllers you have.
As domain controllers do not synchronize their security logs.
Sonicwall SSO user is a service account.  The only rights it has is what a standard service account would have.  We are also seeing some of the people return errors saying, OS error 11: bad format.  They point to all the domain controllers.  If it were a permissions issue it would not be a hit or miss issue..
Also this is happening at our other location, which has its own internet circuit and firewall.  They are connected to us via VPN.
Currently I am testing the newest Agent on our 2016 Server.  I have disabled the Agent on the 2008 r2 box.
ASKER CERTIFIED SOLUTION
Avatar of David TSAC
David TSAC

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial