If you have already been through Basic Steps and are still experiencing issues with Windows logon, then some more advanced steps need to be taken.
In the case of Windows Logon, the term Offline means that the Windows Logon Client cannot see or communicate with the Windows Logon Agent. In this case, it does not necessarily mean the machine is not connected to the network. A machine can still be connected but the Windows Logon credential screen still reports an offline status.
Step1 - Rescan the network
In the case of Offline B or Offline C and you know that both the WLO Agent and DualShield server are both up and running, the first thing you could try is click on rescan the network.
It is often the case that an end user, working on the laptop may have succesfully logged on when in Offline mode from home (see Offline Windows Logon with MFA) and it has just not refreshed itself upon returning to the office and rejoining the network.
This takes a few seconds. You may see a Please wait... message before the screen refreshes and the Offline message disappears.
Step 2 - Client Diagnostics
If you can still log in whilst in offline mode or via a local administrator account that is not protected by MFA then you can run the Client Diagnostics tool.
Once logged in, search ClientDiag and run it.
If you get the Windows Logon Components screen pop first up, click OK on the bottom right,
You will now be presented with the Client Diagnostics window.
Select the domain the computer is joined to. If users from multiple domains can log on to the same machine ( Windows Logon to Multiple Domains ) then select the domain that is relevant to the issue.
In the case of Offline B click on Query Agents
A list of the Windows Logon agents that have been found, should appear in the box below. and it should also state that they are connectable.
If the agents are not listed or they do appear but are not connectable, more information will appear in the grey area below.
At this stage, you can try a rescan to try and re-detect the agents.
Step 3 - Ping, Telnet and Healthcheck.
If agents are not appearing in Client Diagnostics and you have carried out diagnostics in Basic Steps then you need to make sure that the relevant IP addresses do resolve and ports have not been blocked by Firewall rules.
For best results enable Telnet as a Windows feature rather than running Putty.
Open a command prompt and run the following...
| Test | Agent | Port | Expected Result if working correctly |
|---|---|---|---|
| ping | dswagent2 | dswagent2 should resolve to the IP address of the machine that you have installed the agent on | |
| ping | dswsslagent2 | dswsslagent2 should resolve to the IP address of the machine that you have installed the agent on | |
| telnet | dswagent2 | 14292 | will return a blank command prompt screen without error |
| telnet | dswsslagent2 | 14294 | will return a blank command prompt screen without error |
If the IP address is not resolved in the ping test check the DNS entry is correct and the machine the agent is running on is operational, and online.
If Telnet fails to connect check that ports 14292 and 14294 have not been blocked by a firewall rule.
If you are reluctant to enable Telnet you can use a web browser to check the port connections.
| Healthcheck URL | Expected result |
|---|---|
| http://dswagent2.yourFQDN:14292/healthcheck | Should return the word Connected! |
| https://dswsslagent2.yourFQDN:14294/healthcheck | Should return the word Connected! |
(Please note that it does not matter about the certificate warning for the SSL test as this is referring to an internal agent certificate)
If Windows Logon is still not working as expected after testing and following the guidance above then please move on to Advanced Troubleshooting.