This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User authentication against firewall from Terminalserver not working properly

Were having Windows TS with Intercept X. The TS is registered on the firewall (SFOS 19.5.1) as "Citrix Server".

The user that login to the TS are authenticating also against the firewall through the Intercept-X client on the TS. This is working generally.

But for a while now, we're getting complaints from changing users, saying they cannot access internet or internal servers. When checking, we see, their TS user session is not authenticated against the firewall.

We ask them to log off and log in again to the TS. Most of the times, this works after 2 or 3 attempts and their user session from the TS appears in the list of authenticated users on the firewall and they can proceed accessing internet and internal servers (based on FW rules with user authentication).

This is a strange behaviour and I'd like to know how we should proceed analyzing the issue.

Any idea?

TS has Endpoint EAP

This thread was automatically locked due to age.
  • You should check the logviewer of the firewall for authentication requests and the local server (sntp.log). 


  • thank you. I put

    service access_server:debug -ds nosync

    and HB on the TS in debug.

    Need to wait now and hope the log on the firewall is not filling up the disk.

  • just realized: it was the wrong module on the endpoint.

    that's the correct setting:

  • problem could be catched while debug running. I see no obvious issue in it except the firewall not getting the new username from the thin client.

    usually you would find this in the access_server.log when a SATC login is successful:

    INFO      May 08 06:35:20.900921Z [access_server]: PCA called for
    DEBUG     May 08 06:35:20.900926Z [access_server]: (should_process_login_request): Started request from SATC
    DEBUG     May 08 06:35:20.900931Z [access_server]: (lc_utf8_bytes): lowercase = 'username'
    DEBUG     May 08 06:35:20.900935Z [access_server]: process_citrix_login_request: SESSIONID:'5',IP:'',USER:'username',DOMAIN:''

    in our case, there is nothing. A few minutes later or earlier, other SATC user logins from the same ThinClient / IP were successful.

    filed a support case: 06506059

  • just an update

    support case is still going on. sounds like the logs they have include debug are not enough at this stage:

    - full process monitor log while login of an affected user

    - on Endpoint all NTP components in debug, not only SNTPService

    - Firewall access_server.log in debug

    today I see several logs on the firewall access_server.log like this:

        Line  97: ERROR     May 09 07:09:26.171923Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP (sqrs 101)
        Line 113: ERROR     May 09 14:55:43.912436Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP (sqrs 101)
        Line 122: ERROR     May 10 06:37:41.917940Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP (sqrs 101)
        Line 123: ERROR     May 10 06:43:28.734170Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP (sqrs 101)

    Yesterday we switched firewall HA nodes. maybe that is a leftover from there. Will reboot the Terminalserver tonight.

    is it expected, that the RDP Session ID does not match the session ID reported by SATC to the firewall?

    example: RDP Session 9 appears as on the firewall:

    User xxxx@domain.local of group Open Group logged in successfully to Firewall through AD authentication mechanism from

    I thought that the session ID would be equal on both sides but I cannot remember exactly and have no documentation of that part.

  • the case is back at the network security  team because they say it is not a client issue. lets see.

    case is not progressing currently

  • It looks like we have a development ticket opened for this issue as well. This is logged under the ID "WINEP-45479". This was identified just recently after a review from our L3 team. It seems the case was transferred to Endpoint support just after this was identified, as the development ticket is also with our Endpoint developers.

    Correction: The case was transferred to our network team so that information is available from both sides to progress the investigation.

    I will follow up with our support team to ensure the case is progressing smoothly.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply Children
  • to me it looks like the endpoint has issues recognizing the correct RDP session ID.

    In most cases I cannot find correct RDP Session ID of a user in the sntpservice log - it appears as an other ID. posted that already before.

    Today Support did the whole debug thing again in a remote session and updated me that they found that a login of a user is logged as logout.

    weird things going on.

    back again to the client team. just as mentioned here

  • Case is still open, currently at Dev to recreate issue on their side. I hope they do. On the other hand, we have a "working" life demo with the issue still ongoing....

    Today I noticed the opposite issue:

    A user that is no longer logged on a terminalserver, still has a Thin-Client session on the firewall.

  • You don't use STAS too for the same network?

    I had a similair strange issue with STAS tho. We used 2 different mailboxes (2 AD Accounts) sometimes STAS used the 2nd AD Account which didn't had the right perms for http access. So the use with his logged in AD Acc in Win10 got blocked due to the 2nd AD Acc Mailbox. Pretty weird too.

  • support case still going...
    a file ...netfilter/xt_LOG.ko has been replaced with a debug version to find out what's happening.
    I hope they do.

  • today on one of our TS it is only possible to authenticate one user. The user that comes second will not be authenticated.

    also a new experience. nothing logged in access_server.log when second user logs in.

    at logoff event of second user:

    MESSAGE   Aug 18 10:02:02.384832Z [access_server]: tlvserver_process_request: GOT ALERT.EXECUTE_HEARTBEAT
    ERROR     Aug 18 10:02:07.621513Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP (sqrs
    ERROR     Aug 18 10:02:07.621539Z [access_server]: (handle_external_logout_req_finish_free): SQLITE_REQ_GETLIVEUSERINFO query failed

    all parameters for SATC are correctly set on FW and TS.

    ntp logs on the client show the user logins and logoffs.

  • the case is still open. unbelievable, that it is not possible to catch the issue at Sophos side.

    2 versions of some debug files have been installed on the firewall since, we're on 19.5. MR3 and the reason why it is happening daily is still unidentified. TS user auth gets fordwarded to firewall, sometimes not.

    issue happening with and without EAP verision of enspoint.

  • documenting this Methusalem a little bit.

    last suggestion was:  add reg key on TS

    "HKLM\SOFTWARE\Sophos\Sophos Network Threat Protection\Application"  SatcPendDurationMs (DWORD)

    No specific value was given. So I tested with 2000ms but that made user logins on the TS extremely slow. So went to 1000ms. That should be enough in LAN environment anyway.

    This had absolutely no effect on the SATC Authentication on the Firewall on 2 TS I tested with. Still randomly users on the TS are not authenticated against the Firewall.

    even the 1000ms value slowed down user logins massively, less than the value with 2000ms though.

    Somehow it is hard to believe that this is working smoothly in production elsewhere.

  • Update: in May 2023 (!) the case moved  from Endpoint Team to NSG, back to Endpoint and back again to NSG.

    Today I got an update from the case owner that it is now back at the Endpoint Team.

  • Hi, we have the same issue as LHerzogs describes.

    Since we change to XGS there is a lot of trouble all around authentification from am a terminal server session. support was already in, and one bug was fixed in one of the last firmeware updates.

    It is a shame for sophos. User based web filtering is a key feature, the only workaround is via direct proxy, what is not possible in our company.

    It get even worse as we were force from the standalone auth client to the new endpoint. both clients are sending the data package so it was no technical issue but a economic problem.

     please keep us up to date.