BCAAA SSO - "Unrecognised error reported to authentication agent." with DCQEnabled and query all domain contollers set to "0.0.0.0/0"
search cancel

BCAAA SSO - "Unrecognised error reported to authentication agent." with DCQEnabled and query all domain contollers set to "0.0.0.0/0"

book

Article ID: 269298

calendar_today

Updated On:

Products

ProxySG Software - SGOS ISG Proxy

Issue/Introduction

Blue Coat Authentication and Authorization Agent (BCAAA) configured to carry out Windows single sign-on.

SWG stops authenticating users and SGOS EventLog shows:

  • 20XY-06-27 09:50:12+02:00CEST  "Unrecognised error reported to authentication agent."

 

Environment

BCAAA is used by Windows SSO realms to supply mappings for IP addresses to logged on users.

The Windows SSO realm can use Domain Controller Querying or Client Querying or both Domain Controller and Client Querying in order to determine the logged on user. When both Domain controller querying and Client querying are used a valid Domain controller query logon will be used if found and the client will not be queried.

BCAAA Widows server configuration file in "C:\Program Files\Blue Coat Systems\BCAAA" has domain controller querying enabled:

  • [DCQSetup]
    ; Disabled by default
    DCQEnabled=1

"Domain Controller Querying works by discovering the domains in a forest and then discovering the domain controllers for those domains.  Each discovered domain controller is then queried approximately every ten seconds in order to capture the set of users who have authenticated with that domain controller. In a large forest this may mean that BCAAA will query domain controllers that are not of interest for the connected ProxySG devices."

All domain controllers user login and logout events queries are carried out by BCAAA every ten seconds to have an up to date authentication status of the users it is about to authenticate in the SWG (mappings IP addresses to logged on users)

Cause

"sso.ini" configuration file "Query all domain controllers" may be left to default "0.0.0.0/0" range of IPs:

  • [DCQDomainControllers]
    ; Query all domain controllers
    0.0.0.0/0

Because of the above BCAAA, to keep its local "dcq_primary_inc.sso" file list of Windows domain logged on users up to date will try, every 10 seconds, to reach out/query all possible domain controllers present in the network; Windows event example:

  • 20xy/12/16 13:35:42.785 [3156] Incremental persistence file: dcq_temp_inc.sso
    20xy/12/16 13:35:42.785 [3148] DCQ_administrator::Discover_domain_controllers
    20xy/12/16 13:35:42.785 [3148] Windows_domain_manager::Discover_domains
    20xy/12/16 13:35:42.785 [3148] Found domain CORP
    20xy/12/16 13:35:42.785 [3148] DNS domain name is corp.rainpole.io
    20xy/12/16 13:35:42.785 [3148] Found domain BHH
    20xy/12/16 13:35:42.785 [3148] DNS domain name is bhh.corp.rainpole.io
    20xy/12/16 13:35:42.785 [3148] Found domain CCC
    20xy/12/16 13:35:42.785 [3148] DNS domain name is ccc.corp.rainpole.io
    20xy/12/16 13:35:42.785 [3148] Found domain EU.rainpole.io
    20xy/12/16 13:35:42.785 [3148] DNS domain name is eu.rainpole.io
    20xy/12/16 13:35:42.785 [3148] Found domain SE.rainpole.io
    20xy/12/16 13:35:42.785 [3148] DNS domain name is se.corp.rainpole.io
    20xy/12/16 13:35:42.785 [3148] Found domain TTT
    20xy/12/16 13:35:42.785 [3148] DNS domain name is ttt.corp.rainpole.io
    20xy/12/16 13:35:42.785 [3148] Windows_domain::discover_domain_controllers  CORP (CORP)
    20xy/12/16 13:35:42.785 [3156] Full persistence file: dcq_temp_full.sso
    20xy/12/16 13:35:42.878 [3156] Incremental persistence file: dcq_primary_inc.sso
    20xy/12/16 13:35:42.878 [3156] Sleeping in backup thread: 1800000
    20xy/12/16 13:35:43.066 [3148] DsGetDcName return domain controller name [WIxyz111.corp.rainpole.io], and domain name [corp.rainpole.io], dns forest name [corp.rainpole.io]
    20xy/12/16 13:35:44.691 [3148] Windows Major Version 6

Example of added user to the mapping file:

  • 20xy/12/16 13:35:30.988 [3052] Domain EU.rainpole.io Added user TestUser

Example of user already present in the BCAAA local file:

  • 20xy/12/16 13:37:22.248 [3876] Controller 10.x.x.151, found user testUser_BCAAA on workstation\\10.x.x.111, seconds active 5332, seconds idle 0
    20xy/12/16 13:37:22.248 [3876] Found existing user in set \\10.x.x.111, \\10.x.x.111, active 5288, idle 8

But if the BCAAA is set to search all the network "0.0.0.0/0". In a large organisation there is the high chance it will try to connect to domain controller servers hosted far away (in the forest) affected by high latency response, example of lookup:

  • LookupAccountName() with controller 10.x.x.151 took 5465 milliseconds

If dozens of such servers are present they will cause BCAAA wait for a response holding in the queue the authentication requests causing long delays and eventually service to fail

Resolution

After Domain Controller Querying is enabled in "sso.ini":

  • [DCQSetup]
    ; Disabled by default
    DCQEnabled=1

make sure a small range of IPs (subnet) is set for the domain controllers to be queried, example:

  • [DCQDomainControllers]
    ; Query specific subnets of domain contollers
    192.x.10.0/29
    192.x.20.0/29

remember to restart BCAAA service at every "sso.ini" change

Additional Information

Powered by Wolken Software