Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945

Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!

Outage on MySophos and Partner Portal. You may contact Sophos Support through Phone.

User Portal Authentication with Active Directory errors for specific users

Good afternoon everyone!

 

I have a strange issues which I have theories about, but would appreciate what your thoughts might be on it.

Short story, setting up SSL VPN with back end active directory authentication. Setup a new user, non-admin, logged into the user portal fine. This was my test to make sure everything was working fine.

Rolled out to everyone but some users had issues, the live log showed an error rather than a deny, so I made a new security group in AD, put everyone in it and then triggered the pre-fetch. I know I don't need to do this but wanted to see what it would do.

Here comes the errors.

Prefetch Log for a user.


 

 

2019:02:08-14:59:33 remote user_prefetch[6754]: # 27 Creating user user.name
2019:02:08-14:59:36 remote user_prefetch[6754]: Failed to set object
2019:02:08-14:59:36 remote user_prefetch[6754]: >=========================================================================
2019:02:08-14:59:36 remote user_prefetch[6754]: $VAR1 = [
2019:02:08-14:59:36 remote user_prefetch[6754]: 'DATATYPE_ARRAY_ELEMENT',
2019:02:08-14:59:36 remote user_prefetch[6754]: {
2019:02:08-14:59:36 remote user_prefetch[6754]: 'remove' => 'user.name@userdomain..com',
2019:02:08-14:59:36 remote user_prefetch[6754]: 'attrs' => [
2019:02:08-14:59:36 remote user_prefetch[6754]: 'number',
2019:02:08-14:59:36 remote user_prefetch[6754]: 'remove'
2019:02:08-14:59:36 remote user_prefetch[6754]: ],
2019:02:08-14:59:36 remote user_prefetch[6754]: 'number' => 1,
2019:02:08-14:59:36 remote user_prefetch[6754]: 'ref' => 'REF_AaaUseUserName',
2019:02:08-14:59:36 remote user_prefetch[6754]: 'name' => 'Removing 1 invalid element(s) \'user.name@userdomain..com\' from the list.',
2019:02:08-14:59:36 remote user_prefetch[6754]: 'attr' => 'email_secondary',
2019:02:08-14:59:36 remote user_prefetch[6754]: 'msgtype' => 'DATATYPE_ARRAY_ELEMENT',
2019:02:08-14:59:36 remote user_prefetch[6754]: 'never_hide' => 0,
2019:02:08-14:59:36 remote user_prefetch[6754]: 'check' => 'input',
2019:02:08-14:59:36 remote user_prefetch[6754]: 'format' => 'Removing %d invalid element(s) \'%s\' from the list.',
2019:02:08-14:59:36 remote user_prefetch[6754]: 'fatal' => undef,
2019:02:08-14:59:36 remote user_prefetch[6754]: 'class' => 'aaa',
2019:02:08-14:59:36 remote user_prefetch[6754]: 'type' => 'user',
2019:02:08-14:59:36 remote user_prefetch[6754]: 'never_fatal' => 1
2019:02:08-14:59:36 remote user_prefetch[6754]: }
2019:02:08-14:59:36 remote user_prefetch[6754]: ];
2019:02:08-14:59:36 remote user_prefetch[6754]: <=========================================================================


 

Live log for user portal authentication

2019:02:08-13:14:35 remote aua[27247]: id="3006" severity="info" sys="System" sub="auth" name="Trying y.y.y.y (adirectory)"
2019:02:08-13:14:39 remote aua[27247]: id="3006" severity="info" sys="System" sub="auth" name="updateUserObject: failed to set object for user "user.name" - error "DATATYPE_ARRAY_ELEMENT""
2019:02:08-13:14:39 remote aua[27247]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="x.x.x.x" host="" user="user.name" caller="portal" reason="DENIED"
2019:02:08-13:15:07 remote aua[3514]: id="3006" severity="info" sys="System" sub="auth" name="Running _cleanup_up_children with max_run_time: 20"
2019:02:08-13:15:07 remote aua[3514]: id="3006" severity="info" sys="System" sub="auth" name="Child 27247 is running too long. Terminating child"


 

 

My theories are, some form of corruption but I can't figure out if its in the active directory or the UTM, or it's something in the AD attributes as the 4 people this happened to are essentially the 4 founding people of the company 20 or so years ago and been the in AD since 2003 server days.

 

Any thoughts would be appreciated.

 

Cheers

Ian

  • Hi Ian,

    Apparently, there's already a User object in your UTM with user.name@userdomain..com listed as an address.  You might want to review #6 in Rulz.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

     

    Thanks for the suggestion but it doesn't make any sense to me in this situation. (I do have thick moments sometimes though, especially Monday mornings.)

    The users have never used the UTM in any form of authentication before this setup, it's effectively entirely fresh. Not even local users. There are also none listed anywhere other than the admin ones. The user was getting the first error, which is what prompted me to try and pre-fetch to see if it gave any more details about connecting to the AD/user object, and it did.

    The prefetch actually states it updates the user if they exist, which is correct. These 4 users simply fail with the above. 2 of the users don't even know what a VPN is, they drive to the office if they want to get files (extreme old school!) they just so happened to fail to.

    Two new test users I created in the AD worked fine, the very first time this user above tried to login and it failed with the error that I can only find references to that potentially involve corruption.

    I'm not dismissing that the user may exist, I just can't find any proof they do, and cannot backtrack to any situation that they ever would have existed.

    Cheers

    Ian

     

  • In reply to Ian Hellier:

    That's curious, Ian.  Will WebAdmin let you add a user manually with that email address?  You are speaking of the email address, not the user name - right?

    Cheers - Bob