This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
Parents Reply
  • That's what i did. I add the line in the crontab-static, then made changes to the webadmin and the crontab was updated. Today both, the /etc/crontab-static and etc/crontab were missing the line i added yesterday. All i did was the reboot. Is it possible, that the changes made interfere with the acticv-passive cluster?

     

    Dennis

Children
  • In HA, changes at the command line must be made to both devices.  Apparently, you're now working on what was the Slave when you changed /etc/crontab-static.  Just do the same thing on the current Master and you'll be good to go on either device.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    i followed your advice two weeks ago but things didn't get better. The ad sso connection got lost some time at night so i had to rejoin every morning for about two weeks. For some reason it worked on two different days, but please don't ask me why.

    So i did update my ha cluster last thursday to version 9.502-4 and rejoined ad sso. Since then, the ad sso authentication works like a charme :-)

     

    On the other hand i have an error and i'm not sure if it's related to the updade or if i'm just to blind to see:

    If i try to connect to www.pkf.de, the site will always be blocked (blocked categorie Business). I'm quite sure that this external domain worked before. The strange thing is, looking at the web filter live protocol, calling this single domain is always without an valid ad user and therefore blocked. Every other domain from the same browser will be connected with an valid ad-user.

    2017:07:31-16:55:13 hhs050utm-2 httpproxy[7986]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="xx.xx.xx.xx" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="85887" request="0xcdccc00" url="http://www.pkf.de/" referer="" error="" authtime="0" dnstime="0" cattime="46375" avscantime="0" fullreqtime="47510" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" exceptions="auth,mime,application,fileextension,size" category="105" reputation="neutral" categoryname="Business" reason="category"

    This domain is whitelisted and has an exception for ^https?://([A-Za-z0-9.-]*\.)?pkf\.de/  and ^http?://([A-Za-z0-9.-]*\.)?pkf\.de/ with every single option activated. IPS has been deactivated for testing purposes.

    I also have the following error when clicking on the blue exclamation mark on almost every exception rule:

    Can't use string ("0") as an ARRAY ref while "strict refs" in use at /wfe/asg/modules/asg_misc.pm line 727.

    I don't know if there is an context to the first error, but as far as i can see i have to either rebuild the database (at least in a single device environment) or to do a factory reset with a restore.

     

    Any ideas on this?

    Dennis

     

     

     

  • Problem solved....

    I turned off ha, removed the slave node (back to factory reset) and rebuld the database on the old master. Everything is working again as expected so far. Then turned on ha again.

     

    :-)

    Dennis

  • So does anyone know if there is a valuable workaround for this or a working fix to solve the problem? does not hear anything from sophos regarding this...

  • What issues are you still having?  Is it just the authentication issues or other issues that seem to be tied to it like random sites that time out or cant get to?

  • Authentication Issues, i synced my webproxy with my DC, joined the UTM to the Domain. today my User is browsing the Internet without problems, tomorrow it doesn't work unless i do an rejoin of the UTM to the domain. this problems occur on several UTMs i manage since the update on 9.501

    it is pretty annoying and my customers are losing patience on this...

  • And why aren't you update to 9.502 where these problems had been solved?

    Or have O missed some infoformation?

    Best

    Alex

    -

  • already updated to 9.502, rejoined the UTM to the domain, deleted the computeraccount from AD, rejoined again, made sure the sync beetween the DCs is working properly.

    it's not working at all.... any suggestions?

  • Maybe one thing i experienced yesterday. After AD SSO was running fine since upgrading to 9.502-4, i have had activited DNSSEC yesterday afternoon.  After to two hours i received the following warning mail:

    There was an error synchronizing subscribed groups. The Sophos UTM will continue to operate with a locally cached copy of the data but will be unable to update from Directory Services until the issue is resolved.

    Error was:

    -   failed to run samba command on DOMAIN, exiting now

    In the protocol view - system events - i found a lot of the following entries:

    - 2017:08:02-16:10:49 hhs050utm-1 dns-resolver[13992]: DNS server failed to contact!

    Then i deactivated DNSSEC again and everything was fine again.

    I had the error "failed to run samba ...." in the past when ad sso authentication got broken. Since i have rebuild my database i am not able to check deeper if there was an similar error context before.

    Dennis



     

           

  • I am in the same boat. I called sophos support multiple times and no one even mentioned rejoining the domain. They did not mention anything from this forum.  Things work for a bit then no one can access anything. A reboot of both UTMs in the HA are necessary and this fixes it for a short time most of the time but the issue has been present every day since we ran these updates. I am at the latest update also. 9.502 -4

     

    Very disappointed with our new sophos utms since the update.  School is about to start and we will have 10,000 people here all with struggling internet connections because of this update.