Frequently encountered problems
The following points list some of the most frequently encountered problems. Checking these elements may help in the resolution of a probable malfunction.
The SSO agent cannot log on to the firewall.
- Check the SSL encryption key i.e. pre-shared key (password),
- Check that port 1301 has not been blocked by a firewall or on the machine hosting the SSO agent,
- Check the logs in the "System" log file (fichier /log/l_system) of the firewall via the Stormshield Network Administration tools (see Checking the SN SSO Agent service).
The SSO agent cannot log on to the domain controller.
- Check that the account associated with the SSO agent has read privileges on the event viewer in Active Directory,
- Check that ports 139 and 445 have not been blocked by a firewall or on the machine hosting the SSO agent.
No authentication on the firewall.
If there are no authenticated users on the firewall according to the Stormshield Network Real-Time Monitor or the log files, you are advised to test the authentication method using an authentication rule with Any as the User value and as the Source.
Machines do not respond to the ping (users unauthenticated from the firewall).
If the SSO agent is unable to test a machine by pinging it, the firewall will automatically delete the login from its table of authenticated users. This is visible in the logs of the SSO agent (see Checking the SN SSO Agent service):
- Check that ICMP is allowed on machines in the domain (configuration of the Windows firewall).
Could not connect to the registry database.
If the SSO agent is unable to access a machine, it will be visible in the logs of the SSO agent (see Checking the SN SSO Agent service):
- Check that ICMP has been allowed and that ports 139 and 445 are open on the machines in the domain (configuration of the Windows firewall).
- Also check that the remote registry is running in Windows services and that the account used by the SSO agent has administration privileges on these machines.
Change of IP address not detected.
Changes to IP addresses have been detected by DNS requests:
- Check that the DNS servers have been configured for machines in the domain.
If the machines are configured in DHCP, the DHCP server must update the entries in the DNS servers:
- Check that the Reverse lookup zone has indeed been created (see the specific case Changing an IP address).