After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 

  • In reply to orrsti:

    orrsti
    Don't really know why we still are using Sophos appliances.

     

    Same here.  I will be moving to Palo Alto as soon as my budget clears.  I'll have a pair of SG430s for sale at that point.

     

    -md

  • In reply to BAlfson:

    Hi Bob,

    i followed your advice two weeks ago but things didn't get better. The ad sso connection got lost some time at night so i had to rejoin every morning for about two weeks. For some reason it worked on two different days, but please don't ask me why.

    So i did update my ha cluster last thursday to version 9.502-4 and rejoined ad sso. Since then, the ad sso authentication works like a charme :-)

     

    On the other hand i have an error and i'm not sure if it's related to the updade or if i'm just to blind to see:

    If i try to connect to www.pkf.de, the site will always be blocked (blocked categorie Business). I'm quite sure that this external domain worked before. The strange thing is, looking at the web filter live protocol, calling this single domain is always without an valid ad user and therefore blocked. Every other domain from the same browser will be connected with an valid ad-user.

    2017:07:31-16:55:13 hhs050utm-2 httpproxy[7986]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="xx.xx.xx.xx" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="85887" request="0xcdccc00" url="http://www.pkf.de/" referer="" error="" authtime="0" dnstime="0" cattime="46375" avscantime="0" fullreqtime="47510" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" exceptions="auth,mime,application,fileextension,size" category="105" reputation="neutral" categoryname="Business" reason="category"

    This domain is whitelisted and has an exception for ^https?://([A-Za-z0-9.-]*\.)?pkf\.de/  and ^http?://([A-Za-z0-9.-]*\.)?pkf\.de/ with every single option activated. IPS has been deactivated for testing purposes.

    I also have the following error when clicking on the blue exclamation mark on almost every exception rule:

    Can't use string ("0") as an ARRAY ref while "strict refs" in use at /wfe/asg/modules/asg_misc.pm line 727.

    I don't know if there is an context to the first error, but as far as i can see i have to either rebuild the database (at least in a single device environment) or to do a factory reset with a restore.

     

    Any ideas on this?

    Dennis

     

     

     

  • In reply to Dennis Potenberg:

    Problem solved....

    I turned off ha, removed the slave node (back to factory reset) and rebuld the database on the old master. Everything is working again as expected so far. Then turned on ha again.

     

    :-)

    Dennis

  • In reply to Dennis Potenberg:

    So does anyone know if there is a valuable workaround for this or a working fix to solve the problem? does not hear anything from sophos regarding this...

  • In reply to Antonio Esposito:

    What issues are you still having?  Is it just the authentication issues or other issues that seem to be tied to it like random sites that time out or cant get to?

  • In reply to StaffordFields:

    Authentication Issues, i synced my webproxy with my DC, joined the UTM to the Domain. today my User is browsing the Internet without problems, tomorrow it doesn't work unless i do an rejoin of the UTM to the domain. this problems occur on several UTMs i manage since the update on 9.501

    it is pretty annoying and my customers are losing patience on this...

  • In reply to Antonio Esposito:

    And why aren't you update to 9.502 where these problems had been solved?

    Or have O missed some infoformation?

    Best

    Alex

  • In reply to Alexander Busch:

    already updated to 9.502, rejoined the UTM to the domain, deleted the computeraccount from AD, rejoined again, made sure the sync beetween the DCs is working properly.

    it's not working at all.... any suggestions?

  • In reply to Antonio Esposito:

    Maybe one thing i experienced yesterday. After AD SSO was running fine since upgrading to 9.502-4, i have had activited DNSSEC yesterday afternoon.  After to two hours i received the following warning mail:

    There was an error synchronizing subscribed groups. The Sophos UTM will continue to operate with a locally cached copy of the data but will be unable to update from Directory Services until the issue is resolved.

    Error was:

    -   failed to run samba command on DOMAIN, exiting now

    In the protocol view - system events - i found a lot of the following entries:

    - 2017:08:02-16:10:49 hhs050utm-1 dns-resolver[13992]: DNS server failed to contact!

    Then i deactivated DNSSEC again and everything was fine again.

    I had the error "failed to run samba ...." in the past when ad sso authentication got broken. Since i have rebuild my database i am not able to check deeper if there was an similar error context before.

    Dennis



     

           

  • We had a similar issue. 

    After each reboot, the proxy lost his connection with AD. A net ads join worked most of the time.

    After 4 or 5 hours, the surf became very slow. 

    Using the Web Interface, we rejoined the AD. It's better, it don't lost the connection with AD after a reboot. But :

    - We need restart the proxy one or two time each day.

    - Some users can not authenticate to the proxy. One day, it work another day, it fail.

  • I upgraded to 9.502-4 last night had ran into some issues with not being able to rejoin my UTM to the domain. After deleting the old entry for the firewall and forcing replication, I was able to join my UTM to the domain. Even after forcing replication, it took about 5-10 minutes before I could rejoin the UTM to the domain. However, it created an entry in DNS for each interface in the UTM. Now there were multiple clients having issues browsing the Internet. The issue was caused by the multiple entries. I deleted all the entries except for the one that pointed to the internal IP address for the UTM.

    Now all the clients can browse the Internet with no issues.

    Hopefully, this information might help someone else out.

    Regards,

  • In reply to Antonio Esposito:

    I am in the same boat. I called sophos support multiple times and no one even mentioned rejoining the domain. They did not mention anything from this forum.  Things work for a bit then no one can access anything. A reboot of both UTMs in the HA are necessary and this fixes it for a short time most of the time but the issue has been present every day since we ran these updates. I am at the latest update also. 9.502 -4

     

    Very disappointed with our new sophos utms since the update.  School is about to start and we will have 10,000 people here all with struggling internet connections because of this update. 

  • It finally works again for us. We did the following things in this order:

    - Firmware Update to 9.503 from this page, at the moment only by FTP available:
    community.sophos.com/.../utm-up2date-9-503-released

    - delete AD computer object of Sophos UTM
    - Do a failed Domain join at Definitions & Users -> Authentication Services -> Single Sign-On: fill in correct domain, but wrong username and password. Status should change to failed. Then join your domain again with correct login data, status should "Joined Domain".
    - reboot your Sophos UTM
    - users have to log off their computers and login again
    - if you had your Sophos hostname in your Internet Explorer proxy settings: change it to ip. Like 172.17.0.123:8080 in our case.

  • In reply to IT Abteilung BeeWaTec AG:

    Hi, and welcome to the UTM Community!

    Your final step has the effect of causing the UTM to do SSO user authentication with NTLM instead of Kerberos.  Did you find that there was no function until you made that change?  Note that, depending on the hardware in use, joining can take (what feels like) five to ten minutes.

    Cheers - Bob

  • In reply to BAlfson:

    Thank you!

     

    Yes, it was instantly working when the setting was changed to ip. If not, a browser error message appears: "authentication failed". It comes today as well, when I change it back to hostname. So this problem might not be completeley fixed at Sophos firmware yet?