Troubleshoot Active Directory SSO

If you have problems with your Active Directory SSO deployment, you can use the information in this topic to review your deployment for configuration issues.

Verify the SSO Component Configuration

Active Directory (AD) Mode is a backup SSO method. AD Mode might not operate as expected in some circumstances, and it can introduce security risks. We do not recommend AD Mode as a primary SSO method.

Test the SSO Port Connection

To verify that the SSO Agent can contact the Event Log Monitor and Exchange Monitor over the required ports, you can use the SSO Port Tester tool. This tool tests port connectivity between the server where you installed the SSO Agent, and a:

  • Range of IP addresses
  • Single IP address
  • Specific subnet
  • List of specific IP addresses
    You must import a text file that includes the IP addresses to test.

Verify the SSO Software Version

Make sure that you have installed SSO component software v11.10 or higher.

SSO software versions lower than v11.10 do not support:

  • Windows Fast User Switching
  • RDP for clientless SSO
  • SSO authentication over BOVPN

SSO software versions lower than v11.9.3 do not support RDP for the SSO Client.

Fireware and SSO software versions lower than v12.2 do not support SSO configurations with multiple SSO Agents.

The versions of the SSO components in your SSO solution do not have to be the same, and they do not have to be the same as the version of Fireware on your Firebox. We recommend that you install the highest available version of the SSO Agent, even if your Firebox runs a lower version of Fireware.

SSO Agent v12.5.4 supports Fireware v12.5.4 or higher only. Before you install SSO Agent v12.5.4, you must upgrade the Firebox to Fireware v12.5.4 or higher. If you install SSO Agent v12.5.4, we recommend that you upgrade all SSO Clients to v12.5.4.

You cannot use SSO Client v12.5.4 with versions of the SSO Agent lower than v12.5.4. Fireware v12.5.4 supports previous versions of the SSO Agent.

Verify Your Network Configuration

After you confirm that SSO is installed and configured correctly, complete these steps:

  1. Make sure the SSO Agent and each SSO Client service is started.
    1. On the computer where the service is installed, select Start > Run > Services.msc.
    2. In the Status column, verify Started appears.
  2. Verify that the client computer is on the correct domain.
  3. Verify that the individual user has logged on to the domain, and not to the local computer account.
  4. Verify the Active Directory group used for SSO authentication is a security group and not a distribution group. Active Directory distribution groups do not work with SSO.

Common Error Messages

Get Logs and Contact Technical Support

If these troubleshooting steps did not resolve the issue, gather logs and contact WatchGuard Technical Support.

Related Topics

How Active Directory SSO Works

Example Network Configurations for Active Directory SSO

About SSO Log Files

Download Active Directory SSO Log Files

Use Telnet to Debug the SSO Agent