This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
Parents
  • It finally works again for us. We did the following things in this order:

    - Firmware Update to 9.503 from this page, at the moment only by FTP available:
    community.sophos.com/.../utm-up2date-9-503-released

    - delete AD computer object of Sophos UTM
    - Do a failed Domain join at Definitions & Users -> Authentication Services -> Single Sign-On: fill in correct domain, but wrong username and password. Status should change to failed. Then join your domain again with correct login data, status should "Joined Domain".
    - reboot your Sophos UTM
    - users have to log off their computers and login again
    - if you had your Sophos hostname in your Internet Explorer proxy settings: change it to ip. Like 172.17.0.123:8080 in our case.

Reply
  • It finally works again for us. We did the following things in this order:

    - Firmware Update to 9.503 from this page, at the moment only by FTP available:
    community.sophos.com/.../utm-up2date-9-503-released

    - delete AD computer object of Sophos UTM
    - Do a failed Domain join at Definitions & Users -> Authentication Services -> Single Sign-On: fill in correct domain, but wrong username and password. Status should change to failed. Then join your domain again with correct login data, status should "Joined Domain".
    - reboot your Sophos UTM
    - users have to log off their computers and login again
    - if you had your Sophos hostname in your Internet Explorer proxy settings: change it to ip. Like 172.17.0.123:8080 in our case.

Children
  • Hi, and welcome to the UTM Community!

    Your final step has the effect of causing the UTM to do SSO user authentication with NTLM instead of Kerberos.  Did you find that there was no function until you made that change?  Note that, depending on the hardware in use, joining can take (what feels like) five to ten minutes.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you!

     

    Yes, it was instantly working when the setting was changed to ip. If not, a browser error message appears: "authentication failed". It comes today as well, when I change it back to hostname. So this problem might not be completeley fixed at Sophos firmware yet?