SSO AD User logout continuously

Question

Hi, 
 i have a xg firewall with AD SSO. 
 the users logged into the firewall are continuosly logged out after 20 minutes

2016-04-11 08:44:32

Firewall Authentication

SUCCESSFUL

dario.zzzz@xxxx.local

172.16.29.115

CTA

N/A

User dario.zzzz@xxxx.local was logged out of firewall

17703

2016-04-11 08:28:48

Firewall Authentication

SUCCESSFUL

dario.zzzz@xxxx.local

172.16.29.115

CTA

AD

User dario.zzzz@xxxx.local of group Proxy_All logged in successfully to Firewall through AD authentication mechanism from 172.16.29.115

17701

I have followed all the guides but I can not fix it 
 thanks 
 Emil

Leon.Friend · Answer

Hi Emil, 
 So just looking through the log you posted I can see at 14:31:13 the Collector as part of the log off detection performed a WMI lookup on 172.16.0.22 and receieved a response that the logged on user was "administrator" 
 DEBUG [0x5ec] 12/04/2016 14:31:13 : wrkstpoll_workerthread_wmi: connecting to WMI Namespace '\172.16.0.22oot\cimv2' DEBUG [0x660] 12/04/2016 14:31:13 : threadpool_threadproc: Executing Function 0x455880 MSG [0x5ec] 12/04/2016 14:31:13 : wrkstpoll_workerthread_wmi: username:administrator 
 This resulted in the user emil.martini being logged off at 14:31:14. 
 INFO [0x5ec] 12/04/2016 14:31:14 : remove_user_from_de_repositry: user emil.martini with ip 172.16.0.22 removed from DE MSG [0x5ec] 12/04/2016 14:31:14 : wrkstpoll_handle_logoff_req: user 'btzit.local\emil.martini' removed 
 The indication is that there is a authenticated process executing on the workstation that uses the "administrator" account, when this executes windows reports the last logged on user as "administrator" 
 Assuming that the administrator account is not used as an account in the user space, the simplest solution would be to configure the STAS environment to ignore (not track) "administrator" log on events. This can be performed ia the "Exclusion List" Tab in the STAS Client. 
 Note: using the general "administrator" for dual purposes (i.e. as a user and to run services) can be problematic, I would suggest investigating the option of changing the context for the service/application currently running under "administrator" to a dedicated services account which can be excluded in its place.

Aditya Patel · Answer

Hi All, 
 Could you change the settings as per the snapshot below and check if this would resolve your issue?

Irvin ReynaldoRosario Vidal · Answer

Hi, @ EmilMartini 
 After hours of testing i see the users hav been logged out cuz the NTLM. 
 The users after make the SSO with STAS they are working fine and after some time they are getting off the session. Try to put the NTLM off from Administration > Device Access > NTLM (LAN ZONE). 
 let me know. 
 Thanks. 
 
 @ GabrieleD 
 @ Jiri Hadamek 
 @ Bill Roland

Thomas Unger · Answer

I've spend so many hours with this problem. But now i think i found the solution. The problem was the "Logoff Detection" (WMI) of the DC. The query was blocked by the client firewall. I created an GPO to activate the "Windows Management Intstrumentation (WMI-In)" firewall rule on all clients. And now everything is working fine. 
 P.S. you can test the WMI rule with following command. wmic /node:x.x.x.x computersystem get username