search cancel

Troubleshooting steps for failed authentication health checks

book

Article ID: 175348

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Health checks for the authentication realms are showing "Check Failed" or "Health check has failed"

Depending on where you are in the GUI you will see

Health check has failed

or

Check failed

In the eventlog you may see errors similar to

2019-07-05 15:50:14+01:00BST  "Schannel (reralm_name): Resetting Schannel due to error: 0xC0000001(-1073741823), DC: WIN-pc.example.com"  0 250042:1  lw_schannel.cpp:829
2019-07-05 15:50:14+01:00BST  "Authentication failed with 9502 (0x0000251E) (symbol: 'A bad packet was received from a DNS server. Potentially the requested address does not exist.'): user 'user' (domain DomainName) - user considered 'unknown'"  0 250017:96  lw_schannel.cpp:609

Note: Having many failed authentication connections can also lead to reaching Maximum concurrent connections as well as other ProxySG bottlenecks.

Environment

IWA direct set up with either Kerberos and/or NTLM

This article will also help with BCAAA authentication realms

Cause

Typically these errors are due to connectivity issues, either physical (firewall blocking or DC unreachable) or logical errors such as DNS issues or ProxySG configuration issues

It's important to note that authentication health checks assess the realm's health using data maintained by the realm during active use.

Authentication health checks do not probe the authentication server with an authentication request.  

See Article ID: 165920 for more details

As such running pcaps while performing an authentication health check will not help diagnose the issue.

 

 

 

Resolution

 Things to check include

  1. Check the configuration of the realm, this is especially important if this is the first time the realm has ben configured
  2. Confirm the ProxySG has access to the network where the authentication servers reside.
  3. Check for errors in the eventlog
  4. Go to "Configuration -> IWA -> IWA servers -> select the realm in question from the drop down list then click on "Test Configuration" if this returns an error then run the same test with while running a pcap on the ProxySG. Ensure the user you are testing with actually exists in the realm and is active