After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 

  • Did you see this ?

    Which browser did you use? Try Firefox.

    Best

    Alex

  • In reply to Alexander Busch:

    Tried Chrome and IE before dropping from the domain, but, since I cannot re-join the domain, I am unable to test the Firefox.

    The client requires custom security settings in IE, so Firefox is not a viable option.

  • In reply to TevorHinch:

    As suggested here: Sophos Forum

     

    Remove the utm from the Domain, delete the computerobject in the AD, force and wait for DCs to sync, rejoin the domain.

    This worked fine for me. AD SSO works again in Proxy Standardmode.

     

    After removing the UTM from the domain i restarted all Sophos UTM Cluster Nodes.

    I don´t know if thats necessary, but maybe you could try that if it still doesn´t work.

     

    I hope the AD SSO still works after another restart of the UTM.

    I am glad it works now so i did not try it....

     

    EDIT:

    This Problem is not exclusive to 9.5.

    We are on 9.414-2

  • In reply to Benedikt Geelen:

    Did the same as Benedikt and it works again. Remove the computerobject from AD, synced the DCs (repadmin /syncall) and then I rejoined the AD in the "Single Sign-On" Tab.

     

     

  • Hi all,

    this fix works only temporary.

     

    - removed AD Object

    - removed Sophos UTM from Domain

    - sync all DC´s

    - rejoin Sophos

    --> this worked for ~ 8 hours, this morning, same issue again.

    It looks like that it has something todo with Kerberos.

     

    Additional finding:

    - After Update the deployment of wpad.dat via NAT Rule (Port 80) is no longer working at the internal interface. I had to create an additional Interface and then NAT from Port 80 to 8080 on the other interface.

     

    Sophos: Please fix these issues and better: test SSO / Kerberos before announcing a new Update.

     

    Regards

    Martin

  • In reply to Martin Shemon:

    This might be a silly question, but how do I remove from AD domain?

    In single sign on tab I can only join the domain.

     

    Thank you very much

  • In reply to jorgeparente:

    Hi,

    i had the same Problem before. What i did:

    type some bullshit for

    DOMAIN

    Username

    Password 

    and hit "Join Domain" 

    after this, the Sophos tells me it is no longer part of the Domain

    Then i deleted the Computer Account inside the AD Domain

  • In reply to Martin Shemon:

    Thank you

    For now it's working.

     

    The worst part of this is... I can't restore to previous version 9.500-9 no matter what.. at least until sophos fix this issue.

     

    JP

  • In reply to Martin Shemon:

    Hello,

    I have this problems in the fallback.log, when i restart the winbind deamon und the Webproxy it is running

     

    017:06:14-08:06:31 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:54.730590,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:54.752101,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:54.771175,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:55.248664,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:55.269122,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:55.287084,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7736]:  [2017/06/14 08:10:32.876805,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7736]:    Got sig[15] terminate (is_parent=1)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8569]:  [2017/06/14 08:10:32.876904,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8569]:    Got sig[15] terminate (is_parent=0)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8570]:  [2017/06/14 08:10:32.877241,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:10:32.877780,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7738]:    Got sig[15] terminate (is_parent=0)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8570]:    Got sig[15] terminate (is_parent=0)
    2017:06:14-08:10:33 a-sophos-2 [daemon:err] winbindd[8595]:  [2017/06/14 08:10:33.016423,  0] winbindd/winbindd_cache.c:3169(initialize_winbindd_cache)
    2017:06:14-08:10:33 a-sophos-2 [daemon:err] winbindd[8595]:    initialize_winbindd_cache: clearing cache and re-creating with version number 2

  • In reply to jorgeparente:

    45 minutes and authentication issue back again.

    Now anyone.... I can i restore to previous version? Using restore function in web interface does not working

     

    Thanks

  • In reply to Martin Shemon:

    According to another, recent post, it's no longer required to unjoin the UTM from the domain and delete the Account in AD - just enter valid credentials and Join again.

    EDIT an hour later: Also, note the command line trick.

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    do you have any idea why the UTM looses the kerberos tickets ? It looks like that the key renewal is not working.

    I joined the UTM this morning and all authentications are woking.

    maybe a script willhelp ? Or: do you know the process which renews ?

     

    Cheers

    Martin

  • In reply to Martin Shemon:

    I hadn't thought to look for it until you asked, Martin.  The following is a fictitious example:

    cc ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5

    DOMAIN.LOCAL - Active Directory domain name
    adminbob - Administrative username in AD
    G3d0utahere! - Password in AD for adminbob
    172.16.1.5 - IP Address of Domain controller

    That can take awhile depending on your hardware and connection.  A result of 1 means the join was successful, 0 means it failed.

    If you want to do that in a cron job, use /usr/local/bin/confd-client.plx instead of cc.

    Cheers - Bob

  • I realized that with WannaCry, some of my clients have had the SMB1 turned off. When I re-enabled that, I was able to join the domain.

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

    Now I just need to turn on the SSO Authentication and test the server access after hours.

    Hopefully the system will stabilize after that and I will not find out at 5:30 when the first person comes in.