Cannot browse AD groups in EdgeSWG VPM due to error: "The IWA direct realm encountered an unmapped error code"
search cancel

Cannot browse AD groups in EdgeSWG VPM due to error: "The IWA direct realm encountered an unmapped error code"

book

Article ID: 276111

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS

Issue/Introduction

When configuring web access policy rule based on AD group and using the interactive group browsing in VPM Editor user may face an error: "The IWA direct realm encountered an unmapped error code"

In the packet capture there are SMB Read request to Windows Security Accounts Manager (SAM) and then the response with "nca_s_fault_access_denied" message:

In the LAS Debug the following entries are observed:

4424.986 LW_Error_to_auth_result(), mapping unknown error code -1 to AUTH_E_ONBOX_UNMAPPED_ERROR 2425352
4424.986 TRACE: lsass - [SamrConnect2() samr_connect2.c:76] Error at samr_connect2.c:76 [code: C000020D]

Environment

Edge SWG with IWA Direct Authentication Realm configured.

Domain Controller running Windows 2016 or later.

Cause

Starting from Windows 10 1607 and Windows Server 2016 the following local policy setting has been implemented: Security Settings - Local Policies - Security Options - Network access: Restrict clients allowed to make remote calls to SAM:

This setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory.

By default this setting is not defined. But after it's defined only the specified list of user/machine accounts are allowed to perform remote calls to SAM.

Resolution

If the company's security policy requires this setting to be defined please add the EdgeSWG machine account to the Security Descriptor of this policy setting on the Domain Controller:

Additional Information