SSO Authentication Gateway - Error UPN not valid

PosTerrieurPosTerrieur
in Firebox - Other

Hi everyone,

I'm facing an issue with the SSO Authentication Gateway on my WatchGuard setup. When I try to install and configure the SSO agent on my Active Directory Domain Controller (DC), I get an error when adding the domain—it says the UPN is not valid, and no account works (not even the administrator account).

However, if I install and configure the SSO agent on another AD member machine, everything works perfectly.

Here’s what I’ve checked so
1. The necessary services are running on the DC.
2. The account permissions should be correct.
3. DNS resolution and network communication between the DC and the Firebox seem fine.
4. Logs don’t provide much useful information.

Has anyone encountered this issue before or has any idea what could be causing this?

Thanks in advance for your help!

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @PosTerrieur

    If you're trying to use UPN, the SSO auth gateway will attempt to query that domain. If it's not working on that machine, something might be preventing it from doing so.

    There isn't any requirement that it run on the actual domain controller - just something that is a member of the domain. If you're happy with it running on another server, there isn't a requirement to change it back unless you want it that way.

    If you're not seeing anything in logs, I'd suggest opening a support case so one of our reps can assist.

    -James Carson
    WatchGuard Customer Support

  • PosTerrieurPosTerrieur

    Hello @james.carson ,

    Thank you for your response. I tried again yesterday and encountered the same issue. I am unable to add my domain to the application from the DC machine.

    However, I was surprised to see that SSO is working even without any configuration. On the Firebox, as soon as I log into my DC or another computer within my domain, I can see the user listed on the Firebox.

    So, SSO seems to be functioning correctly, but I still cannot add my domain to the SSO Authentication Gateway, which is very strange. I was really surprised to see it working despite not being properly configured.

    I also made sure that the traffic is indeed coming from the DC and not another machine. The only other device in the domain only has the SSO client installed.

    Any insights on this issue?

    Thanks in advance!

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @PosTerrieur I can't really tell what is happening without looking at the agent. If the interface is not behaving properly, it's possible that the settings did take, and just didn't show as such.

    I'd suggest creating a support case so that we can look into this and provide you a better answer.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.