Solutions

Window SSO realm authentication failed, browser may received error message "The user could not be determined by the Single Sign-on agent."

Solutions ID:    KB3675
Version:    2.0
Status:    Published
Published date:    01/22/2010
Updated:    01/22/2010
 

Problem Description

In Windows SSO realm, BCAAA windows server needs to query their DC for user logon information, with username and IP address. so the SSO realm can determine the username bases on the IP address of the user.

One of the problem is the BCAAA server cannot authenticate to the DC, therefore it can not query any user logon info from the DC, result as the BCAAA can't determine the username, Win SSO realm failed.

In the BCAAA server packet capture, it showed the windows try to login to the DC with null user name as "\":

tcp port 445    protocol: SMB    Session Setup AndX Request, NTLMSSP_AUTH, User: \

So the DC return access-denied:

TCP port 445    Protocol:  SMB     NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED

BCAAA log shows error message:

"Cannot query domain controller 10.10.10.10; status=5:0x5:Access is denied."

One of the main reason is the BCAAA has not been setup correctly, for a designated domain username and password, it was set to "Local system account".

 

Resolution

In the BCAAA windows server, Services, BCAAA service properties, Log On tab, Select "This account", use "Browse" button to find the designated domain user, click Ok, type in the password, click on APPLY to save it, then Ok to finish. Then restart the BCAAA service. The BCAAA user should have permission query the DC user logon info.

Use packet capture in the BCAAA server, filter on the BCAAA ip address and protocol SMB, (example for wireshark, "ip.addr==10.10.10.10 and smb"), to ensure the BCAAA is able to login with designated username:

TCP port:445    SMB    Session Setup AndX Request, NTLMSSP_AUTH, User: domain name\username

If login successful, BCAAA will query the DC as:

TCP port 445  SMB    NetSessEnum request

And DC will reply as:

TCP port 445  SMB    NetSessEnum response

Also, ensure the BCAAA user has full access rights to the installed file location ..\Program Files\Blue Coat Systems\BCAAA, otherwise, the BCAAA can't start properly.

Check the ..\BCAAA\dcq_primary_full.sso with any Hex editor, to verify usernames in it.

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question