Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS & WMI Logoff - How to debug?

Hi,

So we have got a STAS setup in a multiple domain controller environment. It is super quick at registering user logging onto the domain. However it doesn't seem to be seeing users logging off or using the WMI to query users that have logged off.

 

Client:

Domain connected

No Firewall

 

Server:

I have tried with a Service Account that is full administrator to everything (I will be locking this down once we can prove this works!)

WMI from server using the service account name has access to the WMI query using the command line

Is seeing logons and filtering correctly.

But no logoff unless a user is logging into the same machine (therefore logging off another user)

 

In the log files there is no mention of an attempt to query WMI at any point. How detailed are the log files - how do we know if STAS is actually polling using WMI??

 

Thanks

Ed



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi EdWilliams,

     

    If you open STAS logs by navigating to the Advanced tab and View Logs, you should be able to see WMI query logged with below log entries, I have just tested it in my LAB. 

    "DEBUG [0x408] 03/02/2020 11:51:04 : wrkstpoll_workerthread_wmi: connecting to WMI Namespace '\\172.16.19.1\root\cimv2'

    MSG [0x408] 03/02/2020 11:51:04 : wrkstpoll_workerthread_wmi: username:h_patel\Administrator"

    If possible, could you please share the STAS logs with me? 

    Thanks,

  • Hi,

    No we definitely don't have any entries referring to WMI. WMI is then as being the Polling is to WMI.

    The logs have personal identification so I can't post them. Is there anything that should be installed extra on a server or something that could be missing ?

    If I switch to 'Registry Read Access' then I get new connection (as expected in this mode) but proves it is running that poll mode OK. When I switch back to WMI....still no attempts.

    Have also done the same for Logoff Detection....still no attempts

    Thanks

    Ed

  • Correction - neither Remote Registry Access or WMI show error in the logs.

    Only errors in logs (which looks like a false negative bug in the code anyway)

    ERROR [0x43ec] 03/03/2020 13:25:44 : config_parse_namefile: file C:\Program Files (x86)\Sophos\Sophos Transparent Authentication Suite\domain-list.ini couldn't open: 2

    ERROR [0x4338] 03/03/2020 13:25:44 : SSOclient_update_active_cr_file: updated successfully

    ERROR [0x43ec] 03/03/2020 13:25:44 : stas_init: DC Agent is Active directory

    ERROR [0x4314] 03/03/2020 13:31:21 : USERINFO WAITING INFINITE

    ERROR [0x4314] 03/03/2020 13:31:21 : GETTING (USERINFO) FROM QUEUE

    This seems to be errors which don't make sense. Apart from that there are no other things that look out of place. Very stumped now, I have tried pretty much everything. This is happening on two DC!! So it is a freak one off.

  • FormerMember
    0 FormerMember in reply to MakoRantz

    Hi EdWilliams,

    Please send me screenshot of General, STA Collector, STA Agent and Advanced, you can PM me these screenshots. 

    STAS logs are in Debug by default, but if it has changed to Trace, you can change the Log Level from Advanced tab. 

    Thanks,

Reply
  • FormerMember
    0 FormerMember in reply to MakoRantz

    Hi EdWilliams,

    Please send me screenshot of General, STA Collector, STA Agent and Advanced, you can PM me these screenshots. 

    STAS logs are in Debug by default, but if it has changed to Trace, you can change the Log Level from Advanced tab. 

    Thanks,

Children
No Data