Troubleshooting DC Agent when users are not identified

I have installed DC Agent for transparent user identification, but user and group policies aren't being applied. It seems like DC Agent isn't seeing the users. Why is this happening, and how can I fix it? I see the following error in the Websense.log file. 
 

Unable to access required file for a DC Agent instance: x.x.x.x DC Agent could not find or create a valid dc_config.txt file.
 
or,

The file 'dc_config.txt' could not be opened for read.
 

If DC Agent is unable to contact the domain controller, or is retrieving information from the wrong domain controller, or has a corrupted or missing configuration file, or returns a blank entry for Computer Polling, then it may not be able to identify users properly. 
 
This article covers the following topics:

• Understand how DC Agent typically locates domain controllers
• Configure which domain controllers DC Agent polls
• Uncover DC Agent communication issues
• Recreate a missing dc config.txt file
• DC Agent Not Identifying Some Users

Understand how DC Agent locates domain controllers

DC Agent works by identifying domain controllers in the network, and then querying those domain controllers for user logon sessions. By default, the agent automatically verifies existing domain controllers and detects new domains or domain controllers added to the network. It stores this information in a file called dc_config.txt (located in the Websense bin directory on the DC Agent machine).
 
DC Agent only works for users logging into the domain. Locally logged on users will receive the policy assigned to a previously logged on domain user. Thus the Filtering Service retains the previous domain user name and applies that domain user’s policy to subsequent locally logged on users. To ensure the prior domain user’s account policy is not applied to locally logged on users, deploy Websense Logon Agent with the ‘LOGOUT’ switch. With Logon Agent deployed, when domain users log out their user names are removed from the Filtering Service user map. This results in the default policy applying to locally logged on users.
 
If you want DC Agent to use this automatic domain detection, make sure that NetBIOS is enabled on firewalls and routers connecting virtually or physically separate subnets or domains. In particular, TCP port 139 (used by NetBIOS) must be enabled. If NetBIOS port 139 is not enabled, then you must deploy additional DC Agents in the virtually or physically remote domains.
 
To identify newly added domains and domain controllers, DC Agent performs a "domain discovery" action at startup, and then once daily thereafter. If a domain controller is added just after DC Agent completes its discovery action, that controller may not be used to authenticate queried for up to 24 hours. As a result, users may not be identified properly. To avoid this possibility, you can:

• Restart DC Agent after adding a new domain controller.
• Manually add the new domain controller to the dc_config.txt file. 
  • DC Agent contacts each domain controller listed in this file, round-robin fashion, every ten seconds.

1. Go to the Websense bin directory on the DC Agent machine.
2. Backup the transid.ini file.
3. Open the original transid.ini file.
4. By default, DC Agent automatically identifies the domains in its subnet every 24 hours, adding new domains and domain controllers to the dc_config.txt file. To change the domain detection interval, modify the line:
    
   DiscoverInterval=86400
   • The default value is 86400 seconds (equals 24 hours).
   • The minimum permitted interval is 3600 seconds (1 hour).
   • To disable domain detection altogether, set DiscoverInterval equal to 0.
5. Save your changes and close the file.
6. Restart Websense DC Agent service.

Configure which domain controllers DC Agent polls

If DC Agent is attempting to poll domain controllers that don't exist, or if you have turned off automatic domain discovery and want to have DC Agent poll a new domain controller, edit the dc_config.txt file to configure DC Agent behavior.

1. Go to the Websense bin directory on the DC Agent machine.
2. Make a backup copy of the dc_config.txt file in another location.
3. Open the original copy of the dc_config.txt in a text editor (like Notepad).
4. Confirm that all of your domains and domain controllers are listed. For example:
   • [WEST_DOMAIN]
dcWEST1=on
dcWEST2=on
[EAST_DOMAIN]
dcEAST1=on
dcEAST2=on
5. If there are entries in the list that DC Agent should not poll, change the entry value from on to off. For example:  dcEAST2=off
   • If you configure DC Agent to avoid polling an active domain controller, the agent cannot transparently identify users logging on to that domain controller.
   • If DC Agent's automatic domain discovery has detected a domain controller that should not be used to authenticate users, set the entry to off, rather than removing it. Otherwise, the next discovery process will re-add the controller.
6. If there are domain or domain controller entries missing from the list, you can add them manually. Before adding entries, run the net view /domain command on the DC Agent machine to make sure that the agent can see the new domain.
7. Ensure a hard carriage return exists at the bottom of the file; such that, the last line is blank.
8. Save your changes and close the file.
9. Restart the Websense DC Agent service.

Uncover DC Agent communication issues

In order to authenticate users, DC Agent sends a NetBIOS broadcast to identify domains and their associated domain controllers. If NetBIOS is not configured properly, or if there are network communication problems, DC Agent may be unable to identify domain controllers. To identify these issues:

1. Open a command prompt (Start > Run > cmd) on the DC Agent machine.
2. Attempt to telnet to a domain controller on port 139. If the telnet command is successful, you will see a blank screen. If unsuccessful:
   • A router, firewall, or other device may be blocking NetBIOS traffic.
   • NetBIOS may not be enabled, and the domain controller may not be listening on port 139. To check the status of the port, use the netstat command:
     • Windows:   netstat -na | find "139"
     • Linux:   netstat -na | grep 139
3. To verify that the DC Agent machine can see all required domains, use the net view command:
   • net view /network

Create a missing dc_config.txt file

If DC Agent does not create a dc_config.txt file, there are 2 ways to address the situation:

• Prompt DC Agent to create the file.
• Create the file manually.

To prompt DC Agent to create the file:

1. Go to the Websense bin directory on the User Service machine.
2. Create a backup copy of the transid.ini file in another location.
3. Open the original transid.ini file in a text editor.
4. Add the following line to the file:
   • UseUserService=False
     This entry is case sensitive.
5. Ensure a hard carriage return exists at the bottom of the file; such that, the last line is blank.
6. Save and close the file.
7. Restart the DC Agent service. After about 2 minutes, the dc_config.txt file should be created automatically.

To create the file manually:

1. Open a text editor on the DC Agent machine.
2. Use the following format to list each domain that DC Agent should poll, followed by its domain controllers, as shown below. The square brackets ([ ]) around the domain name are required.
   • [WEST_DOMAIN]
dcWEST1=on
dcWEST2=on
[EAST_DOMAIN]
dcEAST1=on
dcEAST2=on
3. Ensure a hard carriage return exists at the bottom of the file; such that, the last line is blank.
   • If this hard return is not included (in essence, creating a blank line at the end of the file), the last entry in the file gets improperly truncated, and an error message like  "WSDCagent : Error reading Config File: dc_config.txt Erroneous Entry: dcEAST2=o"  appears in the websense.log file.
4. Save the file in the Websense bin directory with the name dc_config.txt.
5. Restart the DC Agent service.

DC Agent Not Identifying Some Users

• DC Agent appears to be working, but some or all users are getting the default policy. When TestLogServer is run, the users who get the default policy show up with blank user names.
• DC Agent has two methods of identifying which users are at which IP addresses: domain controller polling and Computer Polling (also called wkpolling or workstation polling).
• For Computer Polling, DC Agent remotely connects to each computer on the network and tries to determine from the Windows registry who is logged on. This can be a problematic process; where, there are a few things that can cause it to fail:
  • DC Agent service is not running with a domain admin account.
  • The client's firewall, antivirus, or security permissions prevent access to the registry.
  • There is a firewall or IPS device between DC Agent and the client.
• When DC agent tries to poll a computer and fails, it will put a blank entry for that IP address in its user map. Since Computer Polling has a higher precedence than DC polling, the blank entry will be used by the filtering service and that user will get the default policy.
• The solution is to turn off Computer Polling in the Websense Manager under Settings > User Identification > DC Agent. Even though Computer Polling is on by default, in most environments the best practice is always to keep it off.

DC Agent in the network 

• Websense DC Agent can be used with a Windows-based directory service to enable transparent user identification. The agent periodically queries domain controllers for user logon sessions and polls client machines to verify logon status. It runs on a Windows server and can be installed in any domain in the network.
   
• For each logon session identified by a domain controller, DC Agent performs DNS lookup to resolve the machine name to an IP address. DC Agent stores the user name/IP address pair in its user map in local memory. It periodically writes a copy of the user map to the backup file XidDcAgent.bak.
   
• DC Agent provides user names and IP addresses to Filtering Service each time its user map is updated. DC Agent sends only new user name/IP address pairs recorded since the last query. Filtering Service records user name/IP address pairs to its own copy of the user map in local memory. There are no security risks in this data transfer, because no confidential information (such as user passwords) is transmitted.
   
• After receiving information from DC Agent, Filtering Service queries User Service to get group information for user names in its copy of the user map. User Service queries the directory service for group information corresponding to those users, and sends the information to Filtering Service for use in applying filtering policies.
• Although DC Agent requires local and domain administrator privileges to run, the agent only monitors information; it does not change any information on the domain controller or in the directory service.

• When modifying a configuration file on a Windows 2008 server, it is mandatory to open the text editor by right clicking and choosing "Run as administrator."
• Before editing any Websense software configuration file, create a backup copy of the file, and save it in a safe location.
• This problem also manifests itself as:
  • No Logging or Reporting
  • No User Names in Reports
    Users being blocked incorrectly
  • dc_config.txt
• For version 7.6, the default directory for 'new' installs is C:\Program Files\Websense\Web Security\ (32-bit machines) or C:\Program Files (x86)\Websense\Web Security\ (64 bit machines). The directory for upgrades to v7.6 is C:\Program Files\Websense\.
• For Windows Server 2008 Domain Controllers, you must upgrade to v6.3.3 or v7.1 or higher in order for DC Agent to work correctly.