Azure and ADFS Troubleshooting

Azure and ADFS Troubleshooting

The Netskope Client displays an error when downloading the configuration file post login to ADFS IdP

The Netskope Client may display the below error downloading configuration files.

image85.png

This error can occur when user is not assigned to the Netskope SCIM provisioning app in Azure or user not on-boarded into the Netskope tenant or incorrect claim value in ADFS.

  1. Check if user has been assigned to the Netskope SCIM provisioning app in Azure which on-boards users into the Netskope tenant.
    image29.png
  2. Check if the user has been on-boarded into the tenant under Settings > Security Cloud Platform > Users.
    image33.png
  3. Check if Name ID is set to Email in the claims issuance policy in ADFS.
    image55.png

Where can I view SCIM synchronization logs in Azure for troubleshooting sync issues?

Go to the Audit Logs section within the SCIM application.

image86.png

After logging in to ADFS via the Netskope Client I get an Enrollment error

The Netskope Client may display the below error during Enrollment.

image87.png

There could be multiple reasons for this error:

  1. Check if Name ID is set to Email in the claims issuance policy in ADFS.
    image55.png
  2. Check event logs on the ADFS server for any unauthorized access. The user may need to be added to an AD group to permit access to the Relying Party Trust. Below is an example of user getting denied access.
  3. ADFS might be rejecting the certificate as part of the signing certificate revocation checks; see error message below If you are getting the above signature errors then check if you have disabled Signing and Encryption checks for the Relying Party Trust.

    Netskope Certificates are self-signed and cannot be validated via the public internet. Also, the certificates do not have any public facing CRL Distribution Points or AIA values configured within the certificate. You need to set the certificate checks to None.

    image59.png
  4. The Secure Hash Algorithm may be set incorrectly. If so, you will get the below error in the ADFS event logs.
    image90.png

    Set value to SHA1 in ADFS for the Relying Party Trust.

    image51.png

Why do I get a message Unable to verify Organization name when NS Client service starts

You may get the below message if you have not configured Forward Proxy – SAML or have not enabled Forward Proxy – SAML in the tenant.

image91.png

Check to ensure Forward Proxy – SAML settings have been configured and enabled in tenant as shown.

I have been onboarded into Netskope tenant with my Email address, but I use my UPN or SAM account name (e.g. domainusername) as my ADFS login and not my email address, so will Netskope Client work in IdP mode?

Yes, the Netskope Client will work even if your login ID does not match your email address as long as user’s email address has been set and configured in ADFS issuance claim.

Email address must be populated for Name ID outgoing claim type in ADFS.

image55.png

I have removed/de-provisioned the user from the tenant, so why is the Netskope Client still active on the device for the user?

By design once the user configuration files have been downloaded onto the device the Netskope Client will always enable itself even if the user has been removed/de-provisioned from the tenant.

The solution is to select Uninstall clients automatically in the device config. This will automatically uninstall the client from the device.

image93.png

Note

If a Client was installed with multi-user option, this will only remove the Client user configs from the user’s profile on the next config sync or reboot. This does not affect other users on the device.

How can I troubleshoot SAML responses with the Netskope Client in IdP mode?

You can deploy fiddler on the device; enable HTTS intercept on fiddler and can see the responses.

  1. Install fiddler and enable HTTPS Intercept and add gateway and add-on URL exclusions.
  2. Start the NS Client IDP mode enroll process; fiddler will start capturing all the events.

    Before login

    image95.png

    Post Login

    image96.png

    Save All Session

    This will create a session archive file with a “.saz” extension that you can provide to Support.

    image97.png

    But you can troubleshoot by clicking on the http-post SAML response and using the SAML decoder to view the SAML responses. You can copy the values in any SAML decoder (search online for a decoder) to view the details.

    Example of SAML response decoded for troubleshooting containing ADFS certificate and NameID

    image99.png

    Example of SAML response JWT token decoded for troubleshooting containing tenant details

Share this Doc

Azure and ADFS Troubleshooting

Or copy link

In this topic ...