Cannot authenticate users with Windows SSO, BCAAA logs show "Cannot query domain controller <IP_address> status=5:0x5:Access is denied"

book

Article ID: 194792

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS BCAAA

Issue/Introduction

While running Blue Coat Authentication and Authorization Agent (BCAAA) on Windows Server 2019 using Windows Single Sign On (SSO), the ProxySG or Advanced Secure Gateway (ASG) cannot authenticate users.

The BCAAA logs show the error message: "Cannot query domain controller <IP_address> status=5:0x5:Access is denied"

Cause

On Windows Server 2019,  the group "authenticated users" has been removed and the groups "administrators", "server operators" and "power users" have been added to the access-control-list for this API.

 

Prior to Windows Server 2019, members of the "authenticated users" group were allowed to call NetSessionEnum().  The "authenticated users" group is a special group managed by Windows; when an account authenticates, it becomes a member of the group automatically.  Because BCAAA uses its service account to authenticate to the domain, it became a member of "authenticated users" and was thus allowed to call NetSessionEnum().

Environment

ProxySG or ASG authenticating users using Windows SSO through BCAAA running on Windows Server 2019.

Resolution

There are two options to fix this problem

Make the BCAAA service account user part of the group "server operators".

OR

Add the BCAAA service account user to the access-control-list used for NetSessionEnum().

The second option is a little harder than it sounds.  The security descriptor (SD) used for access to NetSessionEnum() is stored in the registry as a binary value.  Since it is a binary value there is not an easy way to change it.  The attached PowerShell script adds the specified user to the discretionary access-control-list (DACL) in the SD used for NetSessionEnum(). The other complication with this option is that the script will need to be run on every domain controller and any new domain controllers.  After the script is run the service "server" will have to be restarted for the change to take effect.

 

The script must be run as an administrator with elevated privileges.  The elevated privileges are required to write the updated SD to the registry.  If the script is run with no parameters it will prompt for the domain and user.  The user will be added to the DACL.  The "user" could be a group in which case the group is allowed access to NetSessionEnum().  If a group is specified, the BCAAA service account user will need to be a member of the group.

 

A note about the "power users" group.  Even though "power users" is a well known SID, "power users" does not exist on a domain.  The group "power users" only exists on workstations and the group "server operators" only exists on servers.

 

The script attached to this article is provided with the caveat that it is a best-effort script and was working as of July 7th, 2020.

Attachments

1594333360528__allow_NetSessionEnum.ps1 get_app