Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[IAG] AD domain script single sign-on user is authenticated and forwarded to logout

Posted
Updated
Byadmin
Views0

Problem Description

The user has configured script single sign-on + password authentication. Each time the single sign-on user is online for three hours, the user will be logged out, and password authentication can be used normally.

370815b797fe6357bd.png (256.48 KB)

Process——

  1. The login and logout logs of version 6.1 do not show the specific logout reason
  2. Check the configuration to receive information forwarded by a certain company
  3. Close the reception of forwarding from a certain company. Observe
  4. Single sign-on users are still logged out after three hours
  5. Capture the packet and receive a deregistration message forwarded by a company at the headquarters. Analyze the deregistration message time and find that it is consistent with the deregistration time.

    580045b7981317abe1.png (54.58 KB)

    517975b7981869951c.png (71.48 KB)
  6. A company configured by the headquarters is forwarded to the branch, and the key and script single sign-on are consistent
  7. The script single sign-on uses sinforIP, and both the headquarters and branches are online
  8. The headquarters configured a three-hour no-traffic logout, and the branch's Internet traffic did not reach the headquarters
  9. The headquarters single sign-on was online, but was cancelled due to no traffic, and the cancellation information was forwarded to the branch.

Root cause

The single sign-on headquarters and branches are online. The branch traffic does not pass through the headquarters and is deregistered. The headquarters forwards the deregistration information to the branch. Because the branch has enabled script single sign-on, and the keys for script single sign-on and headquarters authentication forwarding are the same, the branch received the offline message forwarded by the headquarters, resulting in the branch single sign-on user being deregistered after being online for three hours.

solution

Disable authentication forwarding at headquarters.

Original Link

https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=6322&isOpen=true