Author: Bob Lin

Situation; The user can’t login GloablProtect.

Troubleshooting: We find the DUO Security sends a User lockout report email. We also see the Lockout notification on DUO Website

Login the DUO website and unlock it by check Active.

I configured DUO Proxy for GloablProtect MFA redundancy on our PA 850 firewall using Authentication Sequence. This post shows how I configured: Configure two duo proxy servers for Palo alto firewall MFA redundancy – Net/PC How to (howtonetworki…

The problem I have is when the top Authentication profile or DUO Proxy server is down, then the user can’t login to GloablProtect. The DUO Proxy server and PA authentication profile is not the issue because I can run the test command successfully.

test authentication authentication-profile <authentication-profile-name> username <username> password

Alos, if I move the second profile (DUO Authentication-2 in my example) to the top, it works.

The problem is if the top authentication DUO proxy server (DUO Authentication-2) is down, no one can’t login.  MONITOR>Logs>System doesn’t have authentication information. If I move the second authentication profile (DUO Authentication in my example) to the top, then it works again. I think it is Authentication Sequence problem but can’t figure out how to fix it.

Troubleshooting:

By default, GlobalProtect’s timeout is 30 seconds. If you setup timeout 30 (seconds) x 3 (retries), Authentication Sequence may not work or timeout.

You’ll need to adjust things a bit to account for the delay being introduced by the authentication sequence and the down host. This setting works for us.

On the first RADIUS Profile

On the second RADIUS Profile.

Please refer to this document:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBufCAG&lang=en_US%E2%80%A…

Situation: Some of client’s users can’t login their GloablProtect. When checking the Monitor>Logs>Traffic, they don’t see any users’ access information.

Troubleshooting: For troubleshooting VPN issue, it is better to check Monitor>Logs>System instead of Traffic. This post may help:

Can’t login GloablProtect with User is not in allowlist

Problem: We have PA firewall 440. We have added dropbox.com to OBJECTS>Custom Objects>URL Category and can login dropbox. However, can’t download files with these errors: .pdf files are supported but something went wrong or There was an error downloading your file.

Troubleshooting:

1. Login PA firewall.
2. Go to MONITOR>Logs>URL Filtering.
3. Add the source IP address, for our example ( addr.src in 192.168.10.10 ).
4. We can see ACTION block-url and URL for example previews.dropbox.com.

5. After we add previews.dropbox.com/, consent.dropbox.com/, we can download files from Dropbox.

Note: Dropbox uses a mix of random URL and includes across multiple domains.  Here are some exalples:

dropbox.com/
*.dropbox.com/
dropboxapi.com/
*.dropboxapi.com/
getdropbox.com/
*.getdropbox.com/
dropboxstatic.com/
*.dropboxstatic.com/
dropboxcaptcha.com/
*.dropboxcaptcha.com/

So, the best resolution is configuring a security rule. Please refer to this post:

Create a Policy to allow accessing Dropbox on PA Firewall

Situation: The GloableProtect VPN user can’t get authentication from DUO.

Troubleshooting: When we check the DUO authproxy.log, we see this message: User IP not provided. Authorized Networks policies will not work for this authentication.

Based on ChatGPT:

The error message “User IP not provided. Authorized Networks policies will not work for this authentication” indicates that the Duo proxy server is unable to determine the IP address of the client making the authentication request.

This issue can occur for a few reasons:

1. The client is not sending its IP address in the authentication request. This can happen if the client is behind a NAT or firewall that is not passing the IP address to the proxy server.
2. The proxy server is not configured to correctly handle the client’s IP address. This can happen if the proxy server is behind a load balancer or other network infrastructure that is not correctly forwarding the client’s IP address.

To resolve this issue, you can try the following:

1. Ensure that your client is configured to send its IP address in the authentication request. This may involve configuring your firewall or NAT to forward the IP address to the proxy server.
2. Configure the Duo proxy server to correctly handle the client’s IP address. This may involve configuring the proxy server to use an X-Forwarded-For header or another mechanism to obtain the client’s IP address.
3. If you are using a load balancer or other network infrastructure, ensure that it is correctly forwarding the client’s IP address to the Duo proxy server.

If none of the above steps resolve the issue, you may need to contact Duo Support for further assistance.

What we find is that the user’s phone notification is off. After having him to turn on the phone Notification, it works.

There can be various reasons for this error, such as network connectivity issues, incorrect configuration settings, or problems with the Duo Authentication Proxy service itself. To troubleshoot this issue, you can start by checking the log files for the Duo Authentication Proxy service and looking for any error messages or warnings. You can also verify that the configuration settings for the Duo Authentication Proxy are correct and that the Duo server is operational.

Situation: When attempting to access a RD server, you may receive this message: The task you are trying to do can’t be completed because Remote Desktop Services is currently busy.

Troubleshooting 1: It is out of the RD license.

Troubleshooting 2: Reset Stuck Client Remote Desktop Session on RDS

First of all, try to find and reset a session of the user who cannot logon to the RDS server.

Find a user in the Users tab of the Task Manager and click Log off in the context menu.

In most cases, it is enough to solve the problem. But sometimes we can find multiple hung sessions with the name (4) instead of a username in the Task Manager. As a rule, there will be 4 processes in a hung RDS user session:

• Client-Server Runtime Process (csrss.exe)
• Desktop Windows Manager (dwm.exe)
• Windows Logon Application (winlogon.exe)
• Windows Logon User Interface

To start with, try to reset all hung (4) RDS sessions in the Task Manager. If it does not help, it is better to reboot the server.

But this is often not possible, as it will affect other users’ sessions on the RDS host. So let us try to solve the problem without rebooting the host.

First, run the elevated command prompt and execute the command:

C:\>query session
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
rdp-tcp#5 bob 2 Active
console 3 Conn
7a78855482a04... 65536 Listen
rdp-tcp 65537 Listen

It will show all users and their remote sessions on the RDS host. There are 3 columns we need in the output: SESSIONNAME, USERNAME and ID.

Find the (4) user and the corresponding ID, in this example, it is ID 2. We must kill the csrss.exe process that is working in this session.

Now, display the list of the running process in the session ID we received earlier:

C:\>query process /id 2
USERNAME SESSIONNAME ID PID IMAGE
>system rdp-tcp#5 2 5140 csrss.exe
>system rdp-tcp#5 2 956 winlogon.exe
>umfd-2 rdp-tcp#5 2 2796 fontdrvhost.exe
>dwm-2 rdp-tcp#5 2 5888 dwm.exe

Find the csrss.exe process (check the IMAGE column) and its PID. In this case, the PID is 5140. We need to kill this process.

Now, open the Task Manager, go to the Details tab and find the PID and the process from the previous step.

If the PID we need corresponds to the csrss.exe process, kill the process by clicking End task in the context menu or by entering the following command in the command prompt:

taskkill /F /PID 5140

Do it for each (4) user if there are some of them.

Troubleshooting 3: Resetting an RDS User Session

If we were not able to log off a problem user in the Task Manager, we can try to reset an RDS user session from the command prompt:

First, open the command prompt as administrator and run the command:

query session

Copy the SESSIONNAME of the problem user.

Now enter:

reset session 

Specify the session name we have instead of .

Do it for each problem RDS user session. Then we may try to log on and a problem should not occur again.

Troubleshooting 4: RDSH server memory issue

A memory leak has been found on some Windows Server 2012 R2 RDSH servers. Over time, these servers begin to refuse both remote desktop connections and local console sign-ins with messages like the following:

The task you are trying to do can’t be completed because Remote Desktop Service is currently busy. Please try again in a few minutes. Other users should still be able to sign in.

Remote Desktop clients attempting to connect also become unresponsive.

To work around this issue, restart the RDSH server.

Also refer to these post:

Remote desktop services is currently busy

The task you are trying to do can’t be completed because remote desktop services is currently busy but not others when trying to access remote computer using remote desktop?

Situation: When attempting to install Microsoft RD CALs on Windows 2019 server, they can’t process it with an error.

Troubleshooting: We find they enter an incorrect agreement # or the agreement # has been installed don other server.

Case 1: if you don’t see any apps after login Office 365, make sure you have Office 365 license.

Case 2: Today, I checked the Microsoft Office 365 and there is no apps. It is not just me. I refresh, and it is the same. Another user has the same issue, I cleaned the cookies, and browsing history and it is the same.

A: According to your description, I found that there is one Service Incident MO544165 about “Some users may be unable to view or access Microsoft 365 apps or services” Office 365 admin center > Service health. Microsoft’s relevant team is investigating and working on this incident to fixing it.

I will monitor this incident. When the issue is fixed, I will update the thread information with latest information.

Below is the SI information:

Title: Some users may be unable to view or access Microsoft 365 apps or services

User impact: Some users may be unable to view or access Microsoft 365 apps or services

More info: Impacted services may include, but are not limited to: – Microsoft 365 Online apps – Users may be unable to access Microsoft 365 web apps, such as Excel Online. Additionally, the search bar may not appear in any Office Online service. – Microsoft Teams – Admins may be unable to access the Microsoft Teams admin center. – SharePoint Online – Users may be unable to view the settings gear, search bar and waffle. – Microsoft Planner – Users may be unable to access Microsoft 365 web apps through Microsoft Planner. – Yammer – The search bar is missing from the User Interface. – Outlook on the web – Users may experience slowness or latency when accessing or using the service. Microsoft Project for the Web – Users may be unable to view the waffle menu, settings, and help content. Whilst the Microsoft 365 apps may not render, users can still access the applications directly through the URL. Some examples of these include: Microsoft 365 Admin Center – admin.microsoft.com Outlook – outlook.office.com Microsoft Teams – teams.microsoft.com Word Online – microsoft365.com/launch/word Excel Online – microsoft365.com/launch/excel

Scope of impact: Impact is specific to some users who are served through the affected infrastructure.

The temporary solution could be accessing the apps directly, for example: https://outlook.oofice.com/mail for email, https://mycompnay.sharepoint.com for SharePoint.

Situation: The user is member of domain admins. However, he can’t access his remote computer using RDP with this error: A user account restriction is preventing you from logging on

Troubleshooting: We find this user is also member for Windows Protection users group which blocks him to use RDP. Please refer to this post:

• What does windows protection users group do?