No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

user can't be online at AD server

Publication Date:  2017-12-28 Views:  51 Downloads:  0
Issue Description

Customer have two AD server and master and slave. After they installed ADSSO on server and configured user-based security-policy on USG, some users’ online information can synchronize to firewall, but some users can’t online on AD server.

Alarm Information

[2017-12-24 15-32-11][DBG]UserOnLine, UserName: xxxx', Domain: 'automation', Computer: 'xxxx'

[2017-12-24 15-32-11][DBG]szADsPath = LDAP://10.10.x.x/CN=xxxx,OU=Finance,OU=USERS &Groups,DC=x,DC=com

[2017-12-24 15-32-11][DBG]user 'x' Logon from 10.10.y.y

[2017-12-24 15-32-11][DBG]record time 1514097879, message time 1514100731

[2017-12-24 15-32-11][DBG]Fake logon detected,because logon time too far!

[2017-12-24 16-18-27][INF]UserOffLine enter.

Handling Process

1.    Checked the ADSSO configuration, the ComminucationTimeWindow are 5 seconds, it is too short. When the time is over 5 seconds, the users cant be online and show fake logonon both AD server. The default CommunicationTimeWindow is 1800 seconds, so we changed it to 1800 and restart ADSSO progress.

     (When one user have fake logon alarm at two AD server, thats abnormal, user cant be online. When the user are online at one AD server, another AD server will check the status too, and the second AD server show fake logon alarm, that is nornaml.)

     

2.    If the system is above window8.1 and windows server 2012, the user online status will be 5 minutes delay. So we configured group policy to disable the delay time.

Root Cause

The CommunicationTimeWindow configured too short.

Solution

Change CommunicationTimeWindow to 1800 seconds.

   


END