Reset Search
 

 

Article

KB17957 - Network Connect (NC) error "nc.windows.app.23790" appears every time HC/CC re-evaluates its policies

« Go Back

Information

 
Last Modified Date11/5/2015 10:09 AM
Synopsis

When a user tries to access the SA, the Host Checker (HC)/Cache Cleaner (CC) evaluates its policies in a specific order. If role-level policies is enabled for HC/CC or if DPE is enabled, the SA will disconnect the user’s session during one of the periodic evaluations if the user no longer meets the security requirements for the available roles. This results in the session timeout message "nc.windows.app.23790" for Network Connect.

Problem or Goal

Why do I get Network Connect (NC) error "nc.windows.app.23790" every time HC/CC re-evaluates its policies, and how do I find the root cause of this issue?

Cause
Solution

The policy evaluation order and possible causes for failing to meet HC/CC restrictions are described below.

Policy Evaluation Order

When the user tries to access the SA, the Host Checker (HC)/Cache Cleaner (CC) evaluates its policies in the following order:

1. Initial evaluation— When a user first tries to access the SA sign-in page, Host Checker performs an initial evaluation. Using the rules specified in the policies, HC verifies that the client meets the endpoint requirements and returns its results to the SA. In the case of CC, the SA determines whether CC is running on the user's machine. (You can view the results in the user access log). Host Checker/Cache Cleaner performs an initial evaluation regardless of whether you have implemented HC/CC policies at the realm, role, or resource policy level.

2. Realm-level policies — The SA uses the results from the initial HC/CC evaluation to determine which realms the user may access. HC/CC performs only realm-level checks when the user first signs into the SA. If the state of the user’s system changes during his session, the SA does not remove the user from the current realm or allow the user access to a new realm based on the user's new system state.

3. Role-level policies — After the user signs into a realm, the SA evaluates role level policies and maps the user to the role or roles if the user meets the HC/CC requirements for those role(s). If HC/CC returns a different status during a periodic evaluation, the SA dynamically re-maps the user to roles based on the new results. If the user loses rights to all available roles during one of the periodic evaluations, the SA disconnects the user’s session unless remediation actions are configured to help the user bring his/her computer into compliance.

4. Resource-level policies— If HC/CC returns a different status during a periodic evaluation, the new status impacts only new resources that the user tries to access. For example, if the user successfully initiates a Network Connect session and then fails the next resource-level host check, the user may continue to access the open Network Connect session. The SA denies the user access only if the user tries to open a new Network Connect session. The SA checks the last status returned by Host Checker whenever the user tries to access a new Web resource or open a new Secure Application Manager, Network Connect, or Secure Terminal Access session.
 
Note on Dynamic Policy Evaluation (DPE): If DPE is enabled on the HC page (Authentication > Endpoint Security > Host Checker), the HC can trigger the SA to evaluate resource policies whenever a user’s HC status changes. If DPE is enabled on the Realm (General tab of the Administrators > Admin Realms > Select Realm or Users > User Realms ), the SA evaluates the HC/CC policies (if any) for a role whenever the HC/CC status of the user’s machine changes, at every refresh interval, and on-demand (manual).
 


Causes of Failure to Meet HC/CC Restrictions

If role-level policies is enabled for HC/CC or if DPE is enabled, the SA will disconnect the user’s session during one of the periodic evaluations if the user no longer meets the security requirements for available roles. This will result in the session timeout message "nc.windows.app.23790" for Network Connect.

Failure to Meet HC/CC restrictions can happen for one of two reasons:
  1. If the user is truly out of compliance with the HC/CC restrictions, then this is working as designed.
 
  • However, if the PC remains compliant, it is possible that HC/CC was not able to send the update to the SA (the session was ended because the security compliance on the client machine was unable to be determined). If this occurs, the symptoms listed below will usually be observed. (Note: Also check if you might be running into the issue described in KB15833 (Network Connect is disconnected with error nc.windows.app.23790 if Advanced Endpoint Defense is enabled.)
     
    • User Access log will display the log message below:
      • "System process detected a HC/CC time out on host <SOURCE IP> for user '<REALM>\<USERNAME>' (last update at YEAR-MONTH-DAY HR.MIN.SEC)".
    • "Active user 'USERNAME' in realm 'REALM' is deleted since user does not qualify reevaluated policies"
     
    • debuglog.log may display the messages below:
      • HTTP_RETRY, Network problem, retry in X seconds
       
      • Unable to resolve target system name secure.sslvpn.com
       
      • STATUS_CODE:408
       
      • Unable to ping the SA SSLVPN host name after NC is connected.


      In The Final Analysis

      If you are unable to determine the cause of the issue, please Contact Support.
      Related Links
      Attachment 1 
      Created ByData Deployment

      Feedback

       

      Was this article helpful?


         

      Feedback

      Please tell us how we can make this article more useful.

      Characters Remaining: 255