Any way to have a user ignored for authentication?

We use PDQ Inventory and have a domain user account to run scans and various other programs and scripts on PCs. I do not want that user authenticated to pass through the firewall so it is limited to the domain only. The problem we run into is that the Watchguard client tries to authenticate the user and fails (which is fine), but then when another user logs into the PC the new user is not submitted for authentication and has no access through the firewall unless they directly sign in through SSO instead of the client doing it automatically.

Is there any way to have Watchguard completely ignore authentication attempts for this one specific user?

We are using an M300 version 12.5.2

Comments

  • Do you have the SSO client installed on your PCs?
    Try this. I believe that it will address your issue.

  • Yes, we have the client installed on the PCs.

  • Then you should open a support incident to get help from a WG rep in getting this resolved.
    Should you find a resolution, please post it.

  • Maybe I explained that oddly.

    When I look in my Firebox system manager, I can see the pdquser is authenticated on a number of machines via Single Sign-On. (I can select sign out on those machines, but the pdquser is reauthenticated if no one else is logged on.)

    If a real user logs into the PC, that SSO by pdquser is not released and the only way around it is by having the real user sign in via the Authentication Portal.

    So I would like the Single Sign-on to just ignore any authentication requests from my pdquser.

  • The only SSO exclusion option that I see is to exclude an IP addr from requiring authentication.
    Perhaps someone from WG will comment here.
    Otherwise a support incident is the way to go.

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited May 2020

    A support case is likely the way to go.

    The issue here is that the SSO Client will report whatever the last user in the logs are that authenticated. If both users are technically logged in, it might be getting mixed login info.

    The easiest way around this that I can think of (that comes to mind) would be to use the Terminal Services Agent (TOAgent.) That works on a per user basis and attaches a user name to each process, so you can have multiple data streams

    Opening a case will help one of our reps to get all your setup details and help make the best decision with you.

    *edited grammar

    -James Carson
    WatchGuard Customer Support

Sign In to comment.