Use Telnet to Debug the SSO Agent

http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/Content/e...

Authentication > About Single Sign-On (SSO) > Use Telnet to Debug the SSO Agent

Use Telnet to Debug the SSO Agent

To debug your SSO Agent, you can use Telnet to connect to the SSO Agent on TCP port 4114 and run commands to review information in the connection cache. You can also enable advanced debug options. A list of the commands you can use in Telnet is available in the Telnet Help and in the subsequent Telnet Commands List section.

We recommend that you only use these commands with direction from a WatchGuard support representative.

To connect to your SSO Agent with Telnet, you must use a user account that is defined in the SSO Agent Configuration Tool User Management settings. For more information, see Configure the SSO Agent. Before you begin, make sure that the Telnet Client is installed and enabled on your computer.

Open Telnet and Run Commands

To run Telnet commands, you can either open Telnet on the computer where the SSO Agent is installed, or use Telnet to make a remote connection to the SSO Agent over TCP port 4114. Make sure that the SSO Agent service is started before you try to connect to it with Telnet. 1. Open a command prompt. 2. At the command prompt, type telnet <IP address of SSO Agent computer> 4114. 3. Press Enter on your keyboard.
The connection message appears.

4. To see a list of commands, type help and press Enter on your keyboard.
The list of common commands appears.

5. To run a command, type a command and press Enter on your keyboard.

Output for the command appears.

For more information about the commands you can use in Telnet, see the Telnet Commands List.

Enable Debug Logging

To send debug log messages to the log file, you must set the debug status to ON. 1. In the Telnet window, type set debug on. 2. Press Enter on your keyboard.

1 de 4

22/04/2014 04:23 p.m.

Use Telnet to Debug the SSO Agent

http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/Content/e...

The message "41 OK (verbose = False, logToFile=True)" appears.

When you enable debug logging for the SSO Agent, debug log messages for the SSO Clients connected to the SSO Agent are also generated and sent to separate log files. After the debug log messages have been sent to the log files, you can view them to troubleshoot any issues. For the SSO Agent: 1. Go to the debug log file directory: \Program Files\Watch uard\Watch uard Authentication ate!a" 2. Open the debug log file: !agsr#c$log For the SSO Client: 1. Go to the debug log file directory: \Program Files\Watch uard\Watch uard Authentication %lient 2. Open a debug log file: !gssoclient&logfile$log or !gssoclient&errorfile$log Make sure to disable debug logging when you are finished. 1. In the Telnet window, type set debug off. 2. Press Enter on your keyboard.

Telnet Commands List

This table includes commands that you can run to help you debug the SSO Agent. Command help login <user> <password> logout Telnet Message Show help Login user. Quote if space in credentials. Log out. Show all users logged in to <IP address> address. Ex: get user 192.168.203.107 Show the current timeout. Show status about the connections. Show connected SSO clients, pending, and processing IPs. Show the current domain filter. Show the SSO component name, version, and build information for the IP address. Show the SSO component name, version, and build information for all the monitored IP addresses. Kill the IP session on Firebox and clear SSO EM internal cache Shows connection information used to analyze the overall load in your SSO environment. Shows detailed connection information used to analyze the overall load in your SSO environment. Gets information about the current domain filters from which the SSO Agent accepts authentication attempts. Gets information about the SSO components (SSO Agent, SSO Client, Event Log Monitor) that are installed at the specified IP address. The information returned includes the version and build numbers for each installed SSO component. Gets information about the SSO components (SSO Client, Event Log Monitor) that are monitored by the SSO Agent. The information returned includes the version and build numbers for each installed SSO component. Ends the session of the specified IP address and removes the active session details for that IP address from the SSO Exchange Monitor internal cache. Description Shows the list of all Telnet commands. Type the user credentials to use to log in to the SSO Agent with Telnet. Log out of the SSO Agent. Shows a list of all users logged in to the selected IP address.

get user <IP>

get timeout get status

get status detail

get domain

get version <IP>

get version all

log off <ip>

2 de 4

22/04/2014 04:23 p.m.

Use Telnet to Debug the SSO Agent

http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/Content/e...

Command set domainfilter on set domainfilter off set user

Telnet Message Turn on domain filter. Turn off domain filter.

Description Permanently sets the domain filter to ON. Permanently sets the domain filter to OFF.

Changes the user information in the debug log files to a Set artificial user user name you select. This enables you to clearly track information (for debugging). user information when you review debug log messages. Sets debug logging on the SSO Agent to ON. This setting sends debug log messages to the log file, which provides detailed information for troubleshooting. Save debug messages to a file in the same location as the .exe. Log file location: SSO Agent \Program Files\WatchGuard\WatchGuard Authentication Gateway\wagsrvc.log SSO Client \Program Files\WatchGuard\WatchGuard Authentication Client\wgssoclient_logfile.log and wgssoclient_errorfile.log

set debug on

set debug verbose set debug off flush <ip> flush all list list config list user list eventlogmonitors get log <IP>

Enable additional log messages.

Includes additional log messages in the debug log files. Sets debug logging on the SSO Agent to OFF.

Clear cache of <ip> address. Clear cache of all <ip> addresses. Return list of all IP in cache with expiration. Return list of all monitoring domain configurations. Return list of all registered users. Return list of all registered Event Log Monitors. Get SSO Client logs and dmp files (if have) in zip format. Same as "get log <IP>', but support multiple ip, full path of txt required and one ip each line in the txt file. eg: get log %'\m" test\ips$t(t. Terminate the connection.

Deletes all authentication information about the specified IP address from the SSO Agent cache. Deletes all authentication information currently available on the SSO Agent. Shows a list of all authentication information currently available on the SSO Agent. Shows a list of all domains the SSO Agent is connected to. Shows a list of all user accounts included in the SSO Agent configuration. Shows a list of all instances of the Event Log Monitor and the version of each instance. Download the SSO Client log files and DMP files in a ZIP file from the specified IP address. Download the SSO Client log files and DMP files in a ZIP file from each IP address specified in the TXT file. In the TXT file, each SSO Client IP address must be on a separate line and the full path to the log and dmp files for each SSO Client must be specified. Closes the Telnet connection to the SSO Agent.

get log <xxx.txt>

quit

See Also
Configure the SSO Agent

3 de 4

22/04/2014 04:23 p.m.

Use Telnet to Debug the SSO Agent

http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/Content/e...

Install the WatchGuard Single Sign-On (SSO) Agent Install the WatchGuard Single Sign-On (SSO) Client Install the WatchGuard SSO Exchange Monitor About Single Sign-On (SSO) Give Us Feedback Get Support All Product Documentation Knowledge Base
2014 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.

4 de 4

22/04/2014 04:23 p.m.