AuthConnector not querying Domain Controllers
search cancel

AuthConnector not querying Domain Controllers

book

Article ID: 230728

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users are not authenticated.

No "dcq_primary*.sso" files created in the Auth Connector directory under "c:\program files (x86)\Symantec\bcca" that includes enumerated login information from AD users

Auth Connector is set to query Domain Controllers as per sso.ini file:

;
; This file is used to configure Windows Single-Sign-On (SSO) support. 

[DCQSetup]
; Domain Controller Querying must be enabled through this setting. 
; Disabled by default
DCQEnabled=1

However, there is no traffic between AuthConnector and Domain Controllers, it does not detect domain controllers and in consequences it doesn't build the logon map table (*.sso files).

Cause

AuthConnector debugging log is missing the entry related to the dcq. While the correct entries for the first lines should contain these lines:

2021/09/09 10:01:11.453 [26292] sso.ini loaded 0
2021/09/09 10:01:11.453 [26292] Add_thread_group() current thread group count: 1
2021/09/09 10:01:11.453 [26292] Max SSO Threads 128
2021/09/09 10:01:11.453 [26292] Attempting to ignore NetShowServices (NetShowServices)
2021/09/09 10:01:11.453 [26292] Found username_type 3 
2021/09/09 10:01:11.453 [26292] Username only
2021/09/09 10:01:11.453 [26292] Add_ignored_user 0
2021/09/09 10:01:11.453 [26292] process_allowable_sync_addresses
2021/09/09 10:01:11.453 [26292] finish process_allowable_sync_addresses
2021/09/09 10:01:11.453 [26292] Process sync config 0x0
2021/09/09 10:01:11.453 [26292] dcq enabled
2021/09/09 10:01:11.453 [26292] Add_thread_group() current thread group count: 2
2021/09/09 10:01:11.453 [26292] Starting dcq admin
2021/09/09 10:01:11.453 [26292] process_active_domain_controllers started
2021/09/09 10:01:11.453 [26292] Adding ip prefix 0.0.0.0/0
2021/09/09 10:01:11.453 [26292] Get_ip: converting to ipv4
2021/09/09 10:01:11.453 [26292] convert_host_to_ipv4: getaddrinfo
2021/09/09 10:01:11.453 [26292] IPv4 0x0
2021/09/09 10:01:11.453 [26292] Added ip prefix 0.0.0.0/0
2021/09/09 10:01:11.453 [26292] finish process_active_domain_controllers
2021/09/09 10:01:11.453 [26292] Could not open file dcq_primary_full.sso 3
2021/09/09 10:01:11.453 [26292] Could not open file dcq_temp_full.sso 3
2021/09/09 10:01:11.453 [26292] Could not open file dcq_primary_inc.sso 3
2021/09/09 10:01:11.453 [26292] Could not open file dcq_temp_inc.sso 3
2021/09/09 10:01:11.453 [26292] Incremental persistence file: dcq_primary_inc.sso
2021/09/09 10:01:11.453 [26292] Added thread to group: 13c9928
2021/09/09 10:01:11.453 [26292] Started thread 18652 in group 13c9928
2021/09/09 10:01:11.453 [26292] Load logon data 0
2021/09/09 10:01:11.453 [26292] Login valid ttl seconds 4294967295l
2021/09/09 10:01:11.453 [26292] Create the discover thread
2021/09/09 10:01:11.453 [26292] Added thread to group: 13c9928
2021/09/09 10:01:11.453 [26292] Started thread 5660 in group 13c9928
2021/09/09 10:01:11.453 [26292] Sync server not enabled
2021/09/09 10:01:11.453 [5660] DCQ_administrator::Discover_domain_controllers
2021/09/09 10:01:11.453 [5660] Windows_domain_manager::Discover_domains
2021/09/09 10:01:11.453 [5660] Determine our domain
2021/09/09 10:01:11.453 [26292] saml.ini loaded 0

Debug log related to this particular issue shows the following entries - it's missing the parts related to DCQuery process:

2021/12/14 18:41:43.617 [4180] sso.ini loaded 0
2021/12/14 18:41:43.617 [4180] Add_thread_group() current thread group count: 1
2021/12/14 18:41:43.617 [4180] Max SSO Threads 128
2021/12/14 18:41:43.617 [4180] Attempting to ignore NetShowServices (NetShowServices)
2021/12/14 18:41:43.617 [4180] Found username_type 3 
2021/12/14 18:41:43.617 [4180] Username only
2021/12/14 18:41:43.617 [4180] Add_ignored_user 0
2021/12/14 18:41:43.617 [4180] process_allowable_sync_addresses
2021/12/14 18:41:43.617 [4180] finish process_allowable_sync_addresses
2021/12/14 18:41:43.617 [4180] Process sync config 0x0
2021/12/14 18:41:43.617 [4180] Sync server not enabled
2021/12/14 18:41:43.617 [4180] saml.ini loaded 0

The reason for that is additional [DCQSetup] section in the sso.ini file added manually by the administrator in later part of the file, so the sso.ini file looked like this (displaying only first and last lines):

;
; This file is used to configure Windows Single-Sign-On (SSO) support. 

[DCQSetup]
; Domain Controller Querying must be enabled through this setting. 
; Disabled by default
DCQEnabled=1

... < removed part of the file >

; A user can also be listed by name and domain.  This means
; it will only be ignored in the given domain.
; domain\ignoreuser
; [email protected]

[DCQSetup]
;DCQDebug = 1

This second [DCQSetup] entry is an incorrect entry and it is overwriting initial configuration for DCQSetup.

Resolution

To fix the problem, ensure that the sections names (in the square brackets) are unique:

  1. Stop Symantec Auth Connector service
  2. Remove additional [DCQSetup] line and its content from sso.ini file
  3. Save the file
  4. Restart Symantec Auth Connector service
  5. After that, Auth Connector will start querying Domain Controllers

In order to debug Auth Connector, the "DCQDebug=1" line needs to be added in the existing [DCQSetup] section as per How to gather Cloud Auth Connector debug logs for Web Security Service KB article.
Alternatively, SymDiag can be used to debug Auth Connector - it doesn't require manual modification of the .ini files and manual service restarts (Debugging AuthConnector with SymDiag)

Powered by Wolken Software