WSS Agent stuck on 'waiting for user authentication' with 'configuration_error' reported in Cloud SWG Portal.
search cancel

WSS Agent stuck on 'waiting for user authentication' with 'configuration_error' reported in Cloud SWG Portal.

book

Article ID: 440234

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

macOS users accessing internet sites via Cloud SWG successfully using WSS Agent.

Users authenticate to Entra SAML IDP server.

Multiple users reported not being able to browse the internet via Cloud SWG.

Looking at the WSS Agent logs, every failing message appeared to be stuck with the 'waiting for user authentication' string the last reported one. This indicates the start of the authentication process, which is followed by a successful authentication message as soon as the SAML assertion is consumed by the Cloud Proxy.

Event viewer log entries for each failing host would show a "configuration_error" verdict going to http://pod.threatpulse.com as shown below:

Uninstalling and re-installing the WSS Agent did not address the issue.

No Cloud SWG, Agent or Entra changes were apparently made.

Environment

SAML Authentication.

WSS Agent.

Cause

Entra Signing Certificate change was pushed out prematurely, causing certificate validation errors.

Resolution

Make sure that the Entra SAML signing certificate matches the one imported into the Cloud SWG SAML configuration.

Additional Information

Configuration_error verdict could have been more specific to help troubleshooting the issue.

Support did manage to get a policy trace when the issue happened and confirmed that the reason was an invalid certificate had been found.

POST http://pod.threatpulse.com/api/v1/check_auth
DNS lookup was unrestricted
request.header.Content-Disposition=<not present>
Accept-Language: en-GB
Accept-Language: en;q=0.9
Content-Length: 9369
Referer: https://login.microsoftonline.com/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko)
authentication start 26 elapsed 3 ms
authorization start 0 elapsed 0 ms
user: unauthenticated
authentication status='Unknown Status' authorization status='not_attempted'
user: authenticated=false authorized=true relative username=''
supplier.allowed_countries: all
supplier.failures:
verdict: EXCEPTION(configuration_error): Authentication failed because of a configuration problem
  Last Error: An invalid certificate was found.
bypass_cache(yes)

Armed with this information, a check of the Entra and Cloud SWG signing certificate was performed where a difference was seen.

Powered by Wolken Software