Window SSO realm authentication failed, browser may received error message "The user could not be determined by the Single Sign-on agent."

<< Back to Knowledge Search



In Windows SSO realm, BCAAA windows server needs to query their DC for user logon information, with username and IP address. so the SSO realm can determine the username bases on the IP address of the user.

One of the problem is the BCAAA server cannot authenticate to the DC, therefore it can not query any user logon info from the DC, result as the BCAAA can't determine the username, Win SSO realm failed.

In the BCAAA server packet capture, it showed the windows try to login to the DC with null user name as "\":

tcp port 445    protocol: SMB    Session Setup AndX Request, NTLMSSP_AUTH, User: \

So the DC return access-denied:

TCP port 445    Protocol:  SMB     NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED

BCAAA log shows error message:

"Cannot query domain controller; status=5:0x5:Access is denied."

One of the main reason is the BCAAA has not been setup correctly, for a designated domain username and password, it was set to "Local system account".



In the BCAAA windows server, Services, BCAAA service properties, Log On tab, Select "This account", use "Browse" button to find the designated domain user, click Ok, type in the password, click on APPLY to save it, then Ok to finish. Then restart the BCAAA service. The BCAAA user should have permission query the DC user logon info.

Use packet capture in the BCAAA server, filter on the BCAAA ip address and protocol SMB, (example for wireshark, "ip.addr== and smb"), to ensure the BCAAA is able to login with designated username:

TCP port:445    SMB    Session Setup AndX Request, NTLMSSP_AUTH, User: domain name\username

If login successful, BCAAA will query the DC as:

TCP port 445  SMB    NetSessEnum request

And DC will reply as:

TCP port 445  SMB    NetSessEnum response

Also, ensure the BCAAA user has full access rights to the installed file location ..\Program Files\Blue Coat Systems\BCAAA, otherwise, the BCAAA can't start properly.

Check the ..\BCAAA\dcq_primary_full.sso with any Hex editor, to verify usernames in it.


Additional Information
Bug Number
InQuira Doc IdKB3675

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Software      SGOS 4, SGOS 5
Topic      Authentication, BCAAA
Article Number      000016660
Was this helpful?
Previous MonthNext Month