How to gather debug logs for Auth Connector (BCCA)

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

In Cloud SWG (formerly known as WSS), the Auth Connector (BCCA) debug logs are required to troubleshoot specific situations. An example would be "Unauthenticated User" shown in reports.

The Auth Connector logs are a record of the authentication activity. This information is valuable for finding the root cause of a problem that is related to authentication or connectivity between the BCCA and the Cloud SWG service, or the ACLogon not connecting.

These logs are important for the detailed insight they contain on the inner workings of BCCA.

Resolution

1. STOP the BCCA service.

In the directory: C:\Program Files\Blue Coat Systems\BCCA

...(where the "bcca.exe" file resides)...

2. DELETE logs named:

(You might not have some of these)

bcca-xxxx.log

debug_dcq_primary_full.sso

debug_dcq_primary_inc.sso

dcq_primary_full.sso

dcq_primary_inc.sso

3. Enable DEBUG logging for both BCCA and SSO:

Edit the BCCA.ini file and add or enable the following lines:

[Debug]

DebugLevel=0xFFFFFFFF

It will look like this in the log file.

Edit the SSO.ini file and add or enable the following line:

3.1 For DCQ:

[DCQSetup]

DCQDebug=1

It will look like this in the log file.

3.2 For ACLogon:

[CLSetup]
CLDebug=1

It will look like this in the log file.

4. RESTART the BCCA service.

5. Let service run for 20 minutes...then STOP the BCCA service.

NOTE: During this 20-minute time, do the following:

With a SPECIFIC USER, map a drive to the AD server running the AuthConnector.
At minute 5, hit a blocked page and click "More" (to see if the user is "Unauthenticated").

At minute 20, hit a blocked page (with the SAME USER). Is the user authenticated now?

Be sure to record the USERNAME and IP address of the workstation here (send this info to Support).

6. Collect the following logs, and send to Support:

bcca-xxxx.log

debug_dcq_primary_full.sso

debug_dcq_primary_inc.sso

bcca.ini

sso.ini

...but NOT these logs (don't collect the following; these are binary logs):

dcq_primary_full.sso

dcq_primary_inc.sso

7. Disable the debug settings above, and restart BCCA.

Live debugging guide:

Stop the BCCA Service, named Symantec WSS Client Authenticator.
Edit the bcca.ini file, and edit it as follows:
- Before: 'LogEventMask=1'
- After: 'LogEventMask=3'
  - This will make it so authentication events, and debug events are logged into the server's event viewer.
Start the service again.
- This will start logging of most, but not all, the errors you see on a common debug log.
After troubleshooting is over, revert the changes, otherwise you risk consuming disk space on now-useless logs.

Now that we have enabled the live debug, we can go to the event viewer to check for useful events.

Under Windows Logs > Security, we may find logon events such as the one displayed here. The subject is our BCCA user name (such as CONTOSO\srv.bluecoat). And the new logon is our user authenticating (such as CONTOSO\pam.receptionist).

You may choose to search for a particular user name and see if the logon was captured under the service's user name. Searching for CONTOSO\ladmin would yield us a record very similar to this one.

Events such as these will be visible at Windows logs > Application, you can use the event viewer to diagnose them as you go.

These logs are no substitute for the real debug logs. They are helpful if you are working on a WebEx or have limited time to work on a server.