Skipping invalid GroupName error in auth-connector debug logs
search cancel

Skipping invalid GroupName error in auth-connector debug logs

book

Article ID: 383429

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

While troubleshooting group based authentication with the WSS Agent and auth-connector the customer found some errors on the bcca debug logs:

2024/12/25 12:34:56.789 [3148] S4UAuthenticateRequest::Process
2024/12/25 12:34:56.789 [3148] FindUserLogonNames() called, user name [DOMAIN\user]
2024/12/25 12:34:56.789 [3148] DN_manager::FindDnsName() called.
2024/12/25 12:34:56.130 [3148] distinguishedName [CN=user xyz,OU=NetworkSecurity,OU=UsersAndGroups,DC=DOMAIN,DC=com]
2024/12/25 12:34:56.130 [3148] userPrincipalName [[email protected]]
2024/12/25 12:34:56.130 [3148] sAMAccountName [user]
2024/12/25 12:34:56.130 [3148] userAccountControl 0x200
2024/12/25 12:34:56.130 [3148] Mail attribute type 3
2024/12/25 12:34:56.130 [3148] User's mail name [[email protected]]
2024/12/25 12:34:56.130 [3148] FindUserLogonNames() ADSI lookups took 15 milliseconds.
2024/12/25 12:34:56.130 [3148] FindUserLogonNames() returning 0x0
2024/12/25 12:34:56.130 [3148] Performing s4uLogon Auth for: '[email protected]'
2024/12/25 12:34:56.146 [3148] s4uLogon() took 16 milliseconds.
2024/12/25 12:34:56.146 [3148] Performing Group-of-Interest Auth for: 'DOMAIN\user'
2024/12/25 12:34:56.146 [3148] SSPICheckGroupsOfInterestBasic: lpUserName='DOMAIN\user' hLogin=0x00001388
2024/12/25 12:34:56.146 [3148] GroupName='DOMAIN\Allow_Proxy_ABC'
2024/12/25 12:34:56.146 [3148] Skipping invalid GroupName='DOMAIN\Allow_Proxy_ABC'
2024/12/25 12:34:56.146 [3148] GroupName='DOMAIN\Allow_Proxy_DEF'
2024/12/25 12:34:56.146 [3148] Skipping invalid GroupName='DOMAIN\Allow_Proxy_DEF'
2024/12/25 12:34:56.146 [3148] GroupName='DOMAIN\Allow_Proxy_GHI'
2024/12/25 12:34:56.146 [3148] Skipping invalid GroupName='DOMAIN\Allow_Proxy_GHI'
2024/12/25 12:34:56.146 [3148] GroupName='DOMAIN\Allow_Proxy_JKL'
2024/12/25 12:34:56.146 [3148] Skipping invalid GroupName='DOMAIN\Allow_Proxy_JKL'
2024/12/25 12:34:56.146 [3148] Group Membership:
2024/12/25 12:34:56.146 [3148] Group no: 0, member: no, invalid group name: 'DOMAIN\Allow_Proxy_ABC'
2024/12/25 12:34:56.146 [3148] Group no: 1, member: no, invalid group name: 'DOMAIN\Allow_Proxy_DEF'
2024/12/25 12:34:56.146 [3148] Group no: 2, member: no, invalid group name: 'DOMAIN\Allow_Proxy_GHI'
2024/12/25 12:34:56.146 [3148] Group no: 3, member: no, invalid group name: 'DOMAIN\Allow_Proxy_JKL'
2024/12/25 12:34:56.146 [3148] BASIC Logon allowed for user 'DOMAIN\user'; checked 4 groups
2024/12/25 12:34:56.146 [3148] S4U authentication agent_result 0x40064
2024/12/25 12:34:56.146 [3148] Finished processing request

What is causing those error and how can we resolve them to have group based authentication working?

Environment

Auth-connector (not version specific)

WSS Agent (not version specific)

Cause

The process that the auth-connector uses to lookup group name into SID is not working and needs to be resolved.

Resolution

The resolution to this problem is outside of the Auth-connector realm as this issue is caused by a domain trust issue.

The domain issue needs to be resolved in order for the gorup-names to return a SID that can be then checked against the group-membership data (SID list) provided in the user token provided in the S4U response.

Powered by Wolken Software