Authentication failures with newer Watchguard Authentication Gateway (SSO eventlogmonitor + AD PCs)
Some months ago we upgraded the Watchguard Authentication Gateway to 12.7.2 and then 12.10. We also removed the service user from "Domain Admin" groups, but we gave him permission to access event logs of PCs as described in the guides.
SSO Agent is configured to use only Event Log Monitor, and is installed on the primary domain controller server. We use it to authenticate firebox users from their windows 10/11 Professional PCs joined to a local AD Domain.
Now PC are randomly unable to authenticate.
As you can see from the test below, all requests after the 1st one are failing:
giovanni@mypc:~$ telnet busitsrv01.mydomain.net 4114 Trying 192.168.133.1... Connected to busitsrv01.mydomain.net. Escape character is '^]'. EVENT 350 log info Connected to the WatchGuard Authentication Gateway SSO agent. Version 220.127.116.11857 Build 685243. Connected at:11/15/2023 12:36:53 To log in to the SSO Agent, type your user credentials. Or, type "help" to see the list of available log in commands. After you log in, type "help" to see all of the commands available for the SSO Agent. login admin xxxxxxx User admin logged in get user 192.168.133.60 443 N=1 IP=192.168.133.60 user="johnsmith" domain=mydomain.net server=192.168.133.60 group="CN=CERTSVC_DCOM_ACCESS," group="CN=Domain Users," group="CN=Photo View," group="CN=Netpon Users, group="CN=STEX Admin Group," group="CN=All people bus," group="CN=Users," group="CN=Video Internal," get user 192.168.133.60 45 N=1 IP=192.168.133.60 ERROR="unknown user" get user 192.168.133.60 45 N=1 IP=192.168.133.60 ERROR="unknown user" get user 192.168.133.60 45 N=1 IP=192.168.133.60 ERROR="unknown user"
Restarting the "Watchguard Authentication Event Log Monitor" service makes the 1st request works again, but all subsequent requests will fail again.
Adding the user to the Domain Admin groups and restarting services did not solved it, also moving the gateway installation to a different server, not a domain controller, was not a solution.
This is error I can find in eventlogmonitor.log when querying a different IP:
2023-11-15T11:33:48Z [tid:9380] INFO: [Thread Body] [Thread: Response to Get User Command] send message: async-29099-000A-192.168.132.195-10-2 79 N=0 IP=192.168.132.195 ERROR="Remote host "192.168.132.195" in logoff status" (to socket)
... but the user is logged on and working at his PC.
I had to rollback to WG-Authentication-Gateway 12.5.4 and re-add the service user do Domain Admins group to make AD SSO works.
Why does only the 1st "get user" succeed ?