WSS Agent active for macOS platforms where users can access internet services via Cloud SWG successfully, as well as internal ZTNA segment applications.

As it is in the test phase, users have the ability to disable both the WSS and ZTNA agents when needed.

After deploying the Windows WSS Agent on Windows 11 devices (in DEV and PROD), the WSS agent sometimes appears to be starting without ZTNA on multiple hosts i.e. user can access internet sites without an issue, but internal ZTNA protected resources will not work.

Checking the WSS Agent diagnostic logs, we see the following message :

    ‘ZTNA configuration requires SAML – ignoring ZTNA’.  

A RECONNECT or a restart of the host does not seem to fix it.

To get out of his situation, I need to log off and back on again. A reconnect won’t fix it. A reboot won’t fix it – just removing the cached token by logging off.

We have seen this on WSS Agent 9.8.4 Build 24105 (Windows 11 24H2) and WSS Agent 9.8.2 Build 23457 (Windows 11 24H2).

WSS Agent on Windows.

Cloud SWG with SAML authentication requirements.

Advanced authentication on Windows.

ZTNA segment applications.

Cannot identify local user on Windows platform needed to generate CTC routing requests to gather ZTNA information.

Install the Windows WSS Agent with the 'AU=unauthenticated' parameter as defined in the documentation,

 Any form of advanced authentication including Windows hello does need this - here are a few KBs referencing this:

• Windows Hello auth issues: https://knowledge.broadcom.com/external/article?articleNumber=388083
• MFA auth issues: https://knowledge.broadcom.com/external/article?articleNumber=255403

The WSS Agent diagnostics showed ignoring ZTNA messages, but more importantly it showed a locally logged in user before the WSS Agent SAML authentication, but then showed no console user was logged in. Without any console user, the Agent cannot make CTC requests to get the ZTNA directives (shows up as CTC routing responses in WSS Agent logs when working) and would explain why ZTNA failed.

[11-17-2025 11:35:25 (UTC+0:00)]: ---- Starting Service (9.8.2.23457) ----
[11-17-2025 11:35:26 (UTC+0:00)]: Customer ID: #####
[11-17-2025 11:35:26 (UTC+0:00)]: Tamper protection: disabled
[11-17-2025 11:35:26 (UTC+0:00)]: Windows 10 Enterprise x86_64 10.0.26100  machine name: #####  machineID: #####
[11-17-2025 11:35:26 (UTC+0:00)]: ZTNA configuration requires SAML - ignoring ZTNA config
[11-17-2025 11:35:26 (UTC+0:00)]: Routing Response (cached) - IP bypass count: 93, Domain bypass count: 185, Executable bypass count: 19, Split DNS count: 2, Tunnel IP count: 3, Tunnel Domain Count: 3, NeverResolve Domain Count: 0, MarkIpAddresses count: 0, Bypass Ports Count: 0
[11-17-2025 11:35:26 (UTC+0:00)]: Initial routing configuration - waiting for route to ctc.threatpulse.com
[11-17-2025 11:35:35 (UTC+0:00)]: Routing has changed - traffic to ctc.threatpulse.com now routed through interface with address: 10.0.0.11
[11-17-2025 11:35:35 (UTC+0:00)]: Waiting for console user to log in
[11-17-2025 11:35:40 (UTC+0:00)]: User user1 has logged in - continuing CTC
[11-17-2025 11:35:40 (UTC+0:00)]: CTC: ignoring system proxy settings
[11-17-2025 11:35:41 (UTC+0:00)]: CTC Response ACTIVE(GEOIP) - egress: #.#.#.# GGBLO-148.64.26.170  GGBDO-148.64.24.170  geolocation: GB ESX Lewes
[11-17-2025 11:35:41 (UTC+0:00)]: Cloud Firewall Services: Enabled
[11-17-2025 11:35:41 (UTC+0:00)]: Attempting to connect to GGBLO via UDP
[11-17-2025 11:35:42 (UTC+0:00)]: CA Tunnel#1(DOMAIN\user1): connecting to 148.64.26.170
[11-17-2025 11:35:42 (UTC+0:00)]: CA Tunnel#1(DOMAIN\user1): status:SUCCESS-authorized
[11-17-2025 11:35:42 (UTC+0:00)]: Tunnel#1(DOMAIN\user1) connected to concentrator: 148.64.26.170 (GGBLO-UDP), Nat IP: 251.218.84.173, RcvBuf: 2097152
[11-17-2025 11:35:42 (UTC+0:00)]: Connection to WSS successful - Tunnel#1
[11-17-2025 11:35:42 (UTC+0:00)]: Console user user1 logged in
[11-17-2025 11:35:42 (UTC+0:00)]: Waiting for user authentication (DOMAIN\user1) *** Start of SAML Authentication ****
[11-17-2025 11:35:58 (UTC+0:00)]: Authentication succeeded (DOMAIN\user1)   *** End of SAML authentication ****
[11-17-2025 11:35:59 (UTC+0:00)]: Sending traffic as [email protected]   *** Whoami response from Cloud Proxy with user/group info needed for ATM policies ****
[11-17-2025 11:35:59 (UTC+0:00)]: Block notification channel connecting - Tunnel#1(DOMAIN\user1)[0]
[11-17-2025 11:35:59 (UTC+0:00)]: Block notification channel connected - Tunnel#1(DOMAIN\user1)[0]
[11-17-2025 11:36:31 (UTC+0:00)]: No console user logged in. A new connection attempt will be made after login.