Wednesday 5 October 2016

Trend micro officescan and Cisco Anyconnect: Profile settings require a single local user

Too many local users

One of our Surface Pro users was unable to connect to our Vpn with his Cisco Anyconnect (3.1.10010) client.
The message was clear: He was not alone on his machine and blocking such a machine makes sense (e.g. in a terminal server environment).



The message in the ASA's log was:
Group <XXXX> User <XXXX> IP <XXX.XXX.XXX.XXX> SVC Message: 16/ERROR: Profile settings require a single local user but multiple local users are logged in..

The error message on the client was:
AnyConnect profile settings mandate a single local user, but multiple local users are currently logged into your computer.  A VPN connection will not be established.

The task manager's "Users" tab did not show any additional users on his machine.
But there was one additional session visible in the command shell:


C:\Users\YYY>query session
SITZUNGSNAME   BENUTZERNAME          ID  STATUS  TYP         GERÄT
services                              0  Getr.
                                      1  Inakt.
>console     YYYY                     4  Aktiv
rdp-tcp                           65536  Abhör.


C:\Users\YYY>

Power of the shell!

The inactive "Session 1" should not be there.
To find out more about it, we need PowerShell:

PS C:\Users\YYY>  Get-Process | Where SessionId -eq 1

Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id  SI ProcessName
-------  ------    -----      ----- -----   ------     --  -- -----------
    372      10     1544      10456 ...00            5312   1 csrss
    314      46    13420       4288   193     3,63   9208   1 PccNTMon


Virus scanner troubles...

The user could not kill any of there processes in the task manager. But PccNTMon is part of Trend Micro' Office scan.


So we disabled that. The processes and both the processes and the session disappeared.

Anyconnect then connected without problems. - Ok as a one-time workaround, but not acceptable as a permanent solution.

1 comment:

  1. In PowerShell, if logoff [SessionID] doesn't work, the Stop-Computer command worked for me

    ReplyDelete