ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

WSS group based policy is not applying as expected for a user, whilst other users have no issue with the same site and policy rule

book

Article ID: 239266

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Access to the web-resource <xyz> is conditioned on group membership.

Group membership authorization is done via Auth-connector.

When User A is accessing web-resource <xyz> from a Windows computer a policy denied message is received.

When User B is accessing web-resource <xyz> from a Windows computer the resource is loaded as expected.

User A and User B are both members of the group that is conditioning access to web-resource <xyz>.

Cause

After setting the Auth-connector log-levels to debug the following message was see for the user authorization requests:

2022/04/11 08:36:14.407 [4308] [8548:4308] Failed S4U s4uLogin for user: 'DOMAIN\USER'; status=1793:0x701:The user's account has expired.

Environment

Auth-connector and WSS Agent.

Windows 10 setup as Microsoft Managed Desktop.

Resolution

The end user checked with the customer helpdesk and found out that their Windows user account (which they used to login onto their Windows computer) had effectively expired.

After the account was re-enabled the authorization issue was resolved.