Customer have two AD server and master and slave. After they installed ADSSO on server and configured user-based security-policy on USG, some users’ online information can synchronize to firewall, but some users can’t online on AD server.
Alarm Information[2017-12-24 15-32-11][DBG]UserOnLine, UserName: xxxx', Domain: 'automation', Computer: 'xxxx'
[2017-12-24 15-32-11][DBG]szADsPath = LDAP://10.10.x.x/CN=xxxx,OU=Finance,OU=USERS &Groups,DC=x,DC=com
[2017-12-24 15-32-11][DBG]user 'x' Logon from 10.10.y.y
[2017-12-24 15-32-11][DBG]record time 1514097879, message time 1514100731<?xml:namespace prefix = "o" />
[2017-12-24 15-32-11][DBG]Fake logon detected,because logon time too far!
[2017-12-24 16-18-27][INF]UserOffLine enter.
Handling Process1. Checked the ADSSO configuration, the ComminucationTimeWindow are 5 seconds, it is too short. When the time is over 5 seconds, the users can’t be online and show “fake logon” on both AD server. The default CommunicationTimeWindow is 1800 seconds, so we changed it to 1800 and restart ADSSO progress.
(When one user have “fake logon” alarm at two AD server, that’s abnormal, user can’t be online. When the user are online at one AD server, another AD server will check the status too, and the second AD server show “fake logon” alarm, that is nornaml.)
2. If the system is above window8.1 and windows server 2012, the user online status will be 5 minutes delay. So we configured group policy to disable the delay time.
Root CauseThe CommunicationTimeWindow configured too short.
SolutionChange CommunicationTimeWindow to 1800 seconds.
