After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 

  • Same problem here. Using Transparent Proxy with SSO

    Windows 2016 Domain controllers

    All clients gets "Access Denied" + "Authentication Failed" + "The URL you have requested is blocked by Surf Protection"

     

    Had to change authentication to "NONE" to let users access internet.

    leave/rejoin domain dows not help. Reboot all servers including domain controllers and client machines makes things work for a few minutes before f.ing up again.

    No updates installed on servers after firmware update on UTM.

    happended right after install of firmware 9.501-5

  • In reply to orrsti:

    Same here.

     

    The workaround with joining the UTM again, is not really working. 

     

    I really have to remove the comupter Account from the Domain , do a repadmin /syncall /force  for the domaincontrollers, wait for ~ 15 Minuten.

    Then join again, and all is working perfect. .... 

     

    Sophos: we need a solution here, without authentication it is no solution, only a temporary workaround. We have to identify our Users to put them in different groups.

    Regards

    Martin

     

  • Hi all,

    just wanted to share some outlook on this.

    i confirm that the WA it´s only temporary. I received a couple of calls last friday in the morning, regarding this behavior and after rejoin the UTM´s to the AD the issue apparently was solved. Today the same clients reported the same behavior. Both incidents are reported on Sophos support.

     

    Edit:

    This is happening also with version 9.414-2.

  • In reply to Martin Shemon:

    When the first user reported that the WA is not working permanently i immediately rolled back our sophos to firmware version 9.413-4.

     

    Its working fine now.

     

    I think i saw in a different post that this problems occurs since the end of may.

    So i dont believe there´s gonna be a fix anytime soon and i suggest a rollback for anyone who has these issues.

     

    I was lucky that we got an active-passive cluster.

    So i released the cluster, rolled back one UTM with the newest config and replaced the still active UTM with it.

    I could minimize the downtime to about 10 minutes this way.

     

    Think about what you want to do with stuff that is not transfered with the config backup (logs,quarantiened e-mails).

    I didn´t need any of that but if you do, there is some work ahead since you can only migrate it through the CLI as far as i know

  • In reply to BAlfson:

    Hello Bob, 

    We have adjusted the KBA to include your suggestions. Thank you for all the input you have made on this issue!

    Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5

  • No problems seen with 9.500 regarding WebProxy and AD SSO. Updated two days ago to 9.501.

    Windows Server 2016 Environment, fully patched. Windows 10 Client, fully patched.

    After updating to 9.501 first no problems, some hours later already mentioned problems with HTTP Proxy and AD SSO. Tried some things, changing password of AD user having problems, and last but not least unjoined UTM, kept AD computer account, rejoined, rebooted. Everything worked for a couple of hours then the same problem occurs. I tried this with Firefox (52.2.0 ESR), Chrome (58.0.3029.110) and IE 11.

    Some minutes ago, I just tried to rejoin without unjoining first, doesn't help.

    In all cases this is logged in the WebProxy log:

    2017:06:20-07:50:16 bifroest httpproxy[21852]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xe6fc0400" function="adir_auth_process_negotiate" file="auth_adir.c" line="1636" message="gss_accept_sec_context: Key version number for principal in key table is incorrect"

    Flushing authentication cache, manual resync of AD group memberships doesn't help.

    I think the UTM doesn't renew its Kerberos ticket. Corresponding log on a DC that network preauthentication failed for UTM-Name$ account.

     

    Fehler bei der Kerberos-Vorauthentifizierung.

    Kontoinformationen:
        Sicherheits-ID:            <DOMAIN>\<ComputerAccountName>$
        Kontoname:                <ComputerAccountName>$

    Dienstinformationen:
        Dienstname:                krbtgt/<DOMAIN FQDN>

    Netzwerkinformationen:
        Clientadresse:               <UTM IP ADDRESS>
        Clientport:                33302

    Weitere Informationen:
        Ticketoptionen:            0x40000010
        Fehlercode:                0x18
        Typ vor der Authentifizierung:    2

    Zertifikatsinformationen:
        Zertifikatausstellername:       
        Seriennummer des Zertifikats:    
        Zertifikatfingerabdruck:       

    Zertifikatinformationen werden nur bereitgestellt, wenn ein Zertifikat zur Vorauthentifizierung verwendet wurde.

    Vorauthentifizierungtypen, Ticketoptionen und Fehlercodes sind in RFC 4120 definiert.

    Wenn das Ticket eine ungültige Form hat oder beim Transport beschädigt wurde und nicht entschlüsselt werden kann, sind viele Fehler dieses Ereignisses möglicherweise nicht vorhanden.

  • I had no problems with 9.500-9. Only after upgrade to 501. Remove from domain, delete account in Ad, sinc servers and rejoin works only for a few minutes.

    The problem is that I can't rollback to 9.500, because there is no ISO or gpg in up2date.

    I can't rollback to 414002 and stay in that version because we've done a lot of work since update to 9.500. There is only 9.414002 to 501005....

    Does anyone Know where can i get this  gpg file?  

     

    Thanks

     

     

    Thanks

  • No problems with 9.500-9. SSO problem started for my custmers with 9.501-5

    Also what would happen to my RED devices if I were to roll back?
    I have several Customers with HQ in Norway and Branch Offices in US, China, and other European Countries connected with a RED device, will these "downgrade" themselves?

    A roll back is not really practical for me as this would result in to much downtime. Will probably just have to wait for a fix...*sigh*

     

  • Updated 2 clients to 9.501-5 over the weekend and are seeing the exact same issue, SSO goes out the window until I rejoin them to the domain.  It lasted the all day Monday, came in this morning to the same issue. 

  • Keep getting new customers reporting http authentication problems. It does not seem to be a global issue thought, since some of them, with the latest up2date, are not experience this.

     Support just told me that there is no available WA and the only option for the time being (besides re-joining) would be to downgrade Sad

  • In reply to PeterRL:

    The problem is that we cannot downgrade to 9.500. This version has no issues...

    Someone @Sophos: Is ther any chance for you to release again the 9.500 in the up2date ftp server?

  • In reply to jorgeparente:

    Is there an solution planned?

     

    I have to rejoin the domain every Morning!!

  • In reply to Thomas Dueringer:

    Same here, really annoying...

  • we have the same problem in about 20 sites!

     

    how can it be fixed permanently?

     

    Sophos has to solve this ASAP - created a ticket

  • In reply to mas0384:

    Hello, we have the same Problem. Our workaround is to disable the webproxy sso authentication to get access to the internet for the user´s. We have also create a support ticket by sophos.

     

    Best regards

    Kim