This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
  • Did you see this ?

    Which browser did you use? Try Firefox.

    Best

    Alex

    -

  • Tried Chrome and IE before dropping from the domain, but, since I cannot re-join the domain, I am unable to test the Firefox.

    The client requires custom security settings in IE, so Firefox is not a viable option.

  • As suggested here: Sophos Forum

     

    Remove the utm from the Domain, delete the computerobject in the AD, force and wait for DCs to sync, rejoin the domain.

    This worked fine for me. AD SSO works again in Proxy Standardmode.

     

    After removing the UTM from the domain i restarted all Sophos UTM Cluster Nodes.

    I don´t know if thats necessary, but maybe you could try that if it still doesn´t work.

     

    I hope the AD SSO still works after another restart of the UTM.

    I am glad it works now so i did not try it....

     

    EDIT:

    This Problem is not exclusive to 9.5.

    We are on 9.414-2

  • Did the same as Benedikt and it works again. Remove the computerobject from AD, synced the DCs (repadmin /syncall) and then I rejoined the AD in the "Single Sign-On" Tab.

     

     

  • Hi all,

    this fix works only temporary.

     

    - removed AD Object

    - removed Sophos UTM from Domain

    - sync all DC´s

    - rejoin Sophos

    --> this worked for ~ 8 hours, this morning, same issue again.

    It looks like that it has something todo with Kerberos.

     

    Additional finding:

    - After Update the deployment of wpad.dat via NAT Rule (Port 80) is no longer working at the internal interface. I had to create an additional Interface and then NAT from Port 80 to 8080 on the other interface.

     

    Sophos: Please fix these issues and better: test SSO / Kerberos before announcing a new Update.

     

    Regards

    Martin

  • This might be a silly question, but how do I remove from AD domain?

    In single sign on tab I can only join the domain.

     

    Thank you very much

  • Hi,

    i had the same Problem before. What i did:

    type some bullshit for

    DOMAIN

    Username

    Password 

    and hit "Join Domain" 

    after this, the Sophos tells me it is no longer part of the Domain

    Then i deleted the Computer Account inside the AD Domain

  • Thank you

    For now it's working.

     

    The worst part of this is... I can't restore to previous version 9.500-9 no matter what.. at least until sophos fix this issue.

     

    JP

  • Hello,

    I have this problems in the fallback.log, when i restart the winbind deamon und the Webproxy it is running

     

    017:06:14-08:06:31 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:54.730590,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:54.752101,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:54.771175,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:55.248664,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:55.269122,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:55.287084,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7736]:  [2017/06/14 08:10:32.876805,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7736]:    Got sig[15] terminate (is_parent=1)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8569]:  [2017/06/14 08:10:32.876904,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8569]:    Got sig[15] terminate (is_parent=0)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8570]:  [2017/06/14 08:10:32.877241,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:10:32.877780,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7738]:    Got sig[15] terminate (is_parent=0)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8570]:    Got sig[15] terminate (is_parent=0)
    2017:06:14-08:10:33 a-sophos-2 [daemon:err] winbindd[8595]:  [2017/06/14 08:10:33.016423,  0] winbindd/winbindd_cache.c:3169(initialize_winbindd_cache)
    2017:06:14-08:10:33 a-sophos-2 [daemon:err] winbindd[8595]:    initialize_winbindd_cache: clearing cache and re-creating with version number 2

    Br McWolle

    Sophos Certified Engineer (SCE)
    Sophos Certified Architect (SCA)

  • 45 minutes and authentication issue back again.

    Now anyone.... I can i restore to previous version? Using restore function in web interface does not working

     

    Thanks