Users accessing the internet via Cloud SWG using WSS Agent hosts successfully.

Users authenticate to Cloud SWG service via SAML Identity Provider.

Users report seeing hundreds of "Whoami request failed" messages within the Agent logs.

The message appears cosmetic as no users seem to be impacted negatively.

PAC files pushed to WSS Agent users to send traffic into ep.threatpulse.net:80.

WSS Agent with SAML-based authentication.

WSS Agent hosts cannot communicate with client-id.wss.symantec.com.

Make sure that client-id.wss.symantec.com is resolvable locally, and that traffic to this destination is sent into WSS Agent tunnel.

In our case, the PAC file was changed so that requests for this domain went into WSS Agent tunnel.

The WSSA log message: 

"whoami request failed"

...is a cosmetic issue.

There is no functionality associated with it.

It is a visual (cosmetic) issue only and states that the user displayed in the WSSA status panel may not match the user in the WSS service.

This is only an issue if a customer is using SAML.  If they are NOT using SAML, then the user in the WSS service will ALWAYS match the user on the WSSA client.

The URL that WSSA uses for the whoami check is:  https://client-id.wss.symantec.com

To avoid this message, make sure that the CTC IP is going DIRECT...(and NOT through a local proxy): 

ctc.threatpulse.com
130.211.30.2

WSS Agent Status panel (tray icon) message: "whoami request failed"

• It is a warning, NOT an error
• Functionality is NOT impacted
• Is a cosmetic issue (can be ignored)

Example: if you are using SAML, the WSS service will identify the user as a SAML user (good), but the username format in the WSSA client will still display the local username in the WSSA client console.