Web Security Service report displays unauthenticated users

book

Article ID: 168712

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

  • Users are not authenticated through the Auth Connector.
  • Reports that are pulled from the portal show Unauthenticated users.

Inspecting the BCCA logs yields many similar to the following:

Ip address 0xb14720a not found in logon_map
Ip address 0xd14720a not found in logon_map
Ip address 0x6596a8c0 not found in logon_map
Ip address 0x460a150a not found in logon_map

NOTE: 0x460a150a is a reverse hex encoding for the IP address of 10.21.10.70.

Cause

The reason for unauthenticated users in reports might be because Auth Connector is unable to communicate with the Authentication Data Pods. Or it receives a "not found" upon querying the logon mapping between computer IP address and user name within your Active Directory (AD) services. In other words, your AD cannot map the user name in your domain with the IP address Auth Connector is querying and returns "not found". Therefore, as the portal reporting function is not able to display user name, it displays unauthenticated user instead.

There are many reasons why Auth Connector is unable to authenticate the users:

  1. Trusted Root Certificate is not installed on the Auth Connector
  2. Auth Connector traffic is routing through WSS
  3. Source NAT is enabled
  4. Authentication data pods are not white listed on the firewall on port 443

The failure of the computer IP-to-username mapping in AD might not be an Auth Connector issue but an AD issue:

  1. Computer fails to log on to Active Directory domains.
  2. Computer logs on as Windows local cache profile.
  3. Computer is not updated with security of Microsoft Active Directory requirements.
  4. Computer is not accepted by your AD because of some other security reasons or compatibility issue.

Resolution

  1. Verify that the trusted root certificate is installed on the Auth Connector. Refer to Auth Connector shows green, but all users are showing up as unauthenticated.
  2. Check if Auth Connector traffic is routing through WSS. Refer to Auth Connector cannot communicate with Web Security Service.
  3. Source NAT should be disabled. Refer to Auth Connector: Unauthenticated users with no WSSOAuthenticateRequest in BCCA debug log and Unauthenticated users in Cloud reports with IPSEC.
  4. Make sure that the authentication data pods are white listed on the firewall.

Check the following with your AD team. As the rest of the users can map the IP-to-user, it's likely not an issue with the auth service.

  1. Trace the respective computer's IP found to be unauthenticated; you can generate a report with verdict unauthenticated users and client IP.
  2. Investigate if this IP address is valid.
  3. Are the computers failing to log on to Active Directory domains?
  4. Are the computers logging on as a cached profile?
  5. Are the computers not updated with the security of Microsoft Active Directory?
  6. Are the computers not accepted by your AD because of some other security reasons or compatibility issue?

NOTE: Some of these suggested investigations might require Microsoft Active Directory domain administrator privileges; consult with respective vendors.