To debug your SSO Agent, you can use Telnet to connect to the SSO Agent on TCP port 4114 and run commands to review information in the connection cache. You can also enable advanced debug options. A list of the commands you can use in Telnet is available in the Telnet Help and in the Telnet Commands List section.
We recommend that you only use these commands with direction from a WatchGuard technical support representative.
To connect to your SSO Agent with Telnet, you must specify a user account that is defined in the SSO Agent Configuration Tool User Management settings. For more information, go to Configure the Active Directory SSO Agent.
Before you begin, make sure that the Telnet Client is installed and enabled on your computer.
Open Telnet and Run Commands
To run Telnet commands, you can either open Telnet on the computer where the SSO Agent is installed, or open Telnet and make a remote connection to the SSO Agent over TCP port 4114. Make sure that the SSO Agent service is started before you try to connect to it with Telnet.
- Open a command prompt.
- At the command prompt, type telnet <IP address of SSO Agent computer> 4114.
- Press Enter on your keyboard.
The connection message appears. - To see a list of commands, type help and press Enter on your keyboard.
The list of common commands appears. - To run a command, type the command and press Enter on your keyboard.
Output for the command appears.
For more information about the commands you can use in Telnet, go to the Telnet Commands List.
Enable Debug Logging
To send debug log messages to the log file, you must set the debug status to ON.
- In the Telnet window, type set debug on.
- Press Enter on your keyboard.
The message "41 OK — (verbose = False, logToFile=True)" appears.
When you enable debug logging for the SSO Agent, debug log messages for the SSO Clients connected to the SSO Agent, and for the Event Log Monitor and Exchange Monitor, are also generated and sent to separate log files. After the debug log messages have been sent to the log files, you can view them to troubleshoot any issues.
For the SSO Agent:
- Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard Authentication Gateway
- Open the debug log file: wagsrvc.log
For the SSO Client:
- Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard Authentication Client
- Open a debug log file: wgssoclient_logfile.log or wgssoclient_errorfile.log
For the Event Log Monitor:
- Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard Authentication Gateway
- Open a debug log file: eventlogmonitor.log
For the Exchange Monitor:
- Go to the debug log file directory: \Program Files\WatchGuard\WatchGuard Authentication Gateway
- Open a debug log file: exchangemonitor.log
Make sure to disable debug logging when you are finished.
- In the Telnet window, type set debug off.
- Press Enter on your keyboard.
Telnet Commands List
This list includes commands that you can run to help you debug the SSO Agent.
| Command | Telnet Message | Description |
|---|---|---|
| help | Show help | Shows the list of all Telnet commands. |
| login <user> <password> | Login user. Quote if space in credentials. | Type the user credentials to use to log in to the SSO Agent with Telnet. |
| logout | Log out. | Log out of the SSO Agent. |
| get user <IP> | Show all users logged in to <IP address> address. Ex: get user 192.168.203.107 |
Shows a list of all users logged in to the selected IP address. |
| get timeout | Show the current timeout. | |
| get status | Show status about the connections. | Shows connection information used to analyze the overall load in your SSO environment. |
| get status detail | Show connected SSO clients, pending, and processing IPs. | Shows detailed connection information used to analyze the overall load in your SSO environment. |
| get domain | Show the current domain filter. | Gets information about the current domain filters from which the SSO Agent accepts authentication attempts. |
| get version <IP> | Show the SSO component name, version, and build information for the IP address. | Gets information about the SSO components (SSO Agent, SSO Client, Event Log Monitor) that are installed at the specified IP address. The information returned includes the version and build numbers for each installed SSO component. |
| get version all | Show the SSO component name, version, and build information for all the monitored IP addresses. | Gets information about the SSO components (SSO Client, Event Log Monitor) that are monitored by the SSO Agent. The information returned includes the version and build numbers for each installed SSO component. |
| log off <ip> | Kill the IP session on Firebox and clear SSO EM internal cache | Ends the session of the specified IP address and removes the active session details for that IP address from the SSO Exchange Monitor internal cache. |
| set domainfilter on | Turn on domain filter. | Permanently sets the domain filter to ON. |
| set domainfilter off | Turn off domain filter. | Permanently sets the domain filter to OFF. |
| set user | Set artificial user information (for debugging). | Changes the user information in the debug log files to a user name you select. This enables you to clearly track user information when you review debug log messages. |
| set debug on | Save debug messages to a file in the same location as the .exe. |
Sets debug logging on the SSO Agent to ON. This setting sends debug log messages to the log file, which provides detailed information for troubleshooting. Log file location: SSO Agent — \Program Files\WatchGuard\WatchGuard Authentication Gateway\wagsrvc.log SSO Client — \Program Files\WatchGuard\WatchGuard Authentication Client\wgssoclient_logfile.log and wgssoclient_errorfile.log |
| set debug verbose | Enable additional log messages. | Includes additional log messages in the debug log files. |
| set debug off | Sets debug logging on the SSO Agent to OFF. | |
| flush <ip> | Clear cache of <ip> address. | Deletes all authentication information about the specified IP address from the SSO Agent cache. |
| flush all | Clear cache of all <ip> addresses. | Deletes all authentication information currently available on the SSO Agent. |
| list | Return list of all IP in cache with expiration. | Shows a list of all authentication information currently available on the SSO Agent. |
| list config | Return list of all monitoring domain configurations. | Shows a list of all domains the SSO Agent is connected to. |
| list user | Return list of all registered users. | Shows a list of all user accounts included in the SSO Agent configuration. |
| list eventlogmonitors | Return list of all registered Event Log Monitors. | Shows a list of all instances of the Event Log Monitor and the version of each instance. |
| quit | Terminate the connection. | Closes the Telnet connection to the SSO Agent. |
About Active Directory Single Sign-On (SSO)
How Active Directory SSO Works