AD Domain SSO didn't work for USG2200

Publication Date:  2013-09-30 Views:  359 Downloads:  0
Issue Description
This topology is as follows.

The version of  USG2200is V300R001C00SPC5000.
Some intranet user couldn’t access Internet, for the firewall pushed a page indicating that the current network connection timed out and re-authentication is required.

The configuration related with AD domain SSO is as follows:
ad-server template boc_ad
ad-server authentication 88
ad-server authentication base-dn dc=boc,dc=co,dc=za
ad-server authentication manager cn=admin,cn=users %$%$THLXGYg,8WME~ORT`0;R:aXO%$%$
ad-server authentication host-name
ad-server authentication ldap-port 389
ad-server user-filter sAMAccountName
ad-server group-filter ou

user-manage web-authentication port 8888
user-manage online-user aging-time 960
user-manage single-sign-on shared-key Admin@123
user-manage single-sign-on enable
user-manage authentication-policy access_control
  new-user add-local group root
  authentication-mode single-sign-on
Alarm Information
Handling Process
 From the configuration related with AD Domain SSO, we found that there is nothing wrong.
(2) The timeout duration of online users is 960 minutes, so this is not the reason why some intranet user can’t access the internet after login the PC using the domain user name.
(3) Check the configuration of AD Domain.
We found that there is no log file in the path” C:\Program Files\AdWatcher\AdWatcher\log” related the time when the customer did the test.
In the page indicating “the current network connection timed out and re-authentication is required”, download the tools and execute it in command line, and the result was as follows:
C:\>adrelogin  -d

System Version: 0x1db10106, major version: 0x6, minor version: 0x1
Begin to get log off script ...
Error: Failed to open registry key. Param: Software\Microsoft\Windows\CurrentVer
sion\Group Policy\Scripts\Logoff\0.
Error code: 2.

From the above information we can concluded that there must be something wrong with the configuration of AD domain.
(4) From the AD Server, we can see that there are more than one AD domain, and the script ReportLogin.exe was added to the default AD domain. But the intranet user used the other AD domain which there is no script added to the logon script (Logon.exe) and logoff script (Logoff.exe), so the AD Watcher service can’t monitor the logon and logoff operations of domain users. That is why some intranet user couldn’t access the Internet.
(5) On the AD server, add script ReportLogin.exe to the logon script (Logon.exe) and logoff script (Logoff.exe) respectively to the correct AD domain, and set the parameters of the logon and logoff scripts, now that the problem was solved.
Root Cause
(1) The configuration related with AD domain SSO is not correct
(2) The online-user aging-time is too short.
(3) The AD server is not configured correctly.
While configuring AD domain SSO, if there are more than one AD domain in the AD Server, make sure that the script ReportLogin.exe is configured in the correct AD domain.