User authentication against firewall from Terminalserver not working properly

You should check the logviewer of the firewall for authentication requests and the local server (sntp.log). 

thank you. I put

service access_server:debug -ds nosync

and HB on the TS in debug.

Need to wait now and hope the log on the firewall is not filling up the disk.

just realized: it was the wrong module on the endpoint.

that's the correct setting:

problem could be catched while debug running. I see no obvious issue in it except the firewall not getting the new username from the thin client.

usually you would find this in the access_server.log when a SATC login is successful:

INFO      May 08 06:35:20.900921Z [access_server]: PCA called for 172.16.xxx.xxx
DEBUG     May 08 06:35:20.900926Z [access_server]: (should_process_login_request): Started 172.16.xxx.xxx-5 request from SATC
DEBUG     May 08 06:35:20.900931Z [access_server]: (lc_utf8_bytes): lowercase = 'username'
DEBUG     May 08 06:35:20.900935Z [access_server]: process_citrix_login_request: SESSIONID:'5',IP:'172.16.xxx.xxx-5',USER:'username',DOMAIN:''

in our case, there is nothing. A few minutes later or earlier, other SATC user logins from the same ThinClient / IP were successful.

filed a support case: 06506059

just an update

support case is still going on. sounds like the logs they have include debug are not enough at this stage:

- full process monitor log while login of an affected user

- on Endpoint all NTP components in debug, not only SNTPService

- Firewall access_server.log in debug

today I see several logs on the firewall access_server.log like this:

    Line  97: ERROR     May 09 07:09:26.171923Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP 172.16.xxx.xxx-7 (sqrs 101)
    Line 113: ERROR     May 09 14:55:43.912436Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP 172.16.xxx.xxx-7 (sqrs 101)
    Line 122: ERROR     May 10 06:37:41.917940Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP 172.16.xxx.xxx-4 (sqrs 101)
    Line 123: ERROR     May 10 06:43:28.734170Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP 172.16.xxx.xxx-7 (sqrs 101)

Yesterday we switched firewall HA nodes. maybe that is a leftover from there. Will reboot the Terminalserver tonight.

is it expected, that the RDP Session ID does not match the session ID reported by SATC to the firewall?

example: RDP Session 9 appears as 172.16.xxx.xxx-13 on the firewall:

User xxxx@domain.local of group Open Group logged in successfully to Firewall through AD authentication mechanism from 172.16.xxx.xxx-13

I thought that the session ID would be equal on both sides but I cannot remember exactly and have no documentation of that part.

the case is back at the network security  team because they say it is not a client issue. lets see.

case is not progressing currently

It looks like we have a development ticket opened for this issue as well. This is logged under the ID "WINEP-45479". This was identified just recently after a review from our L3 team. It seems the case was transferred to Endpoint support just after this was identified, as the development ticket is also with our Endpoint developers.

Correction: The case was transferred to our network team so that information is available from both sides to progress the investigation.

I will follow up with our support team to ensure the case is progressing smoothly.

Thanks a lot  Qoosh !

Thanks a lot  Qoosh !

to me it looks like the endpoint has issues recognizing the correct RDP session ID.

In most cases I cannot find correct RDP Session ID of a user in the sntpservice log - it appears as an other ID. posted that already before.

Today Support did the whole debug thing again in a remote session and updated me that they found that a login of a user is logged as logout.

weird things going on.

back again to the client team. just as mentioned here

Case is still open, currently at Dev to recreate issue on their side. I hope they do. On the other hand, we have a "working" life demo with the issue still ongoing....

Today I noticed the opposite issue:

A user that is no longer logged on a terminalserver, still has a Thin-Client session on the firewall.

You don't use STAS too for the same network?

doc.sophos.com/.../index.html

I had a similair strange issue with STAS tho. We used 2 different mailboxes (2 AD Accounts) sometimes STAS used the 2nd AD Account which didn't had the right perms for http access. So the use with his logged in AD Acc in Win10 got blocked due to the 2nd AD Acc Mailbox. Pretty weird too.

no we're not using STAS.

support case still going...
a file ...netfilter/xt_LOG.ko has been replaced with a debug version to find out what's happening.
I hope they do.

today on one of our TS it is only possible to authenticate one user. The user that comes second will not be authenticated.

also a new experience. nothing logged in access_server.log when second user logs in.

at logoff event of second user:

MESSAGE   Aug 18 10:02:02.384832Z [access_server]: tlvserver_process_request: GOT ALERT.EXECUTE_HEARTBEAT
ERROR     Aug 18 10:02:07.621513Z [access_server]: (_sqlite_db_handle_get_liveuserinfo): GET_LIVEUSER_INFO_TO_LOGOUT found no entries for IP xxx.xxx.xxx.xxx-3 (sqrs
ERROR     Aug 18 10:02:07.621539Z [access_server]: (handle_external_logout_req_finish_free): SQLITE_REQ_GETLIVEUSERINFO query failed

all parameters for SATC are correctly set on FW and TS.

ntp logs on the client show the user logins and logoffs.

the case is still open. unbelievable, that it is not possible to catch the issue at Sophos side.

2 versions of some debug files have been installed on the firewall since, we're on 19.5. MR3 and the reason why it is happening daily is still unidentified. TS user auth gets fordwarded to firewall, sometimes not.

issue happening with and without EAP verision of enspoint.

documenting this Methusalem a little bit.

last suggestion was:  add reg key on TS

"HKLM\SOFTWARE\Sophos\Sophos Network Threat Protection\Application"  SatcPendDurationMs (DWORD)

No specific value was given. So I tested with 2000ms but that made user logins on the TS extremely slow. So went to 1000ms. That should be enough in LAN environment anyway.

This had absolutely no effect on the SATC Authentication on the Firewall on 2 TS I tested with. Still randomly users on the TS are not authenticated against the Firewall.

even the 1000ms value slowed down user logins massively, less than the value with 2000ms though.

Somehow it is hard to believe that this is working smoothly in production elsewhere.

Update: in May 2023 (!) the case moved  from Endpoint Team to NSG, back to Endpoint and back again to NSG.

Today I got an update from the case owner that it is now back at the Endpoint Team.

Hi, we have the same issue as LHerzogs describes.

Since we change to XGS there is a lot of trouble all around authentification from am a terminal server session. support was already in, and one bug was fixed in one of the last firmeware updates.

It is a shame for sophos. User based web filtering is a key feature, the only workaround is via direct proxy, what is not possible in our company.

It get even worse as we were force from the standalone auth client to the new endpoint. both clients are sending the data package so it was no technical issue but a economic problem.

LHerzog please keep us up to date.