Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 7704 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM needs to be rejoined to domain after restart of UTM or Domain Controller

C_hris

Hi together,

I have a big problem since two years. Our UTM always need to be rejoined to the domain (delete out of active directory and rejoin it) after the UTM was updated/restarted or the domain controller was restarted. After rejoining the UTM, the AD-account that I used for rejoining always gets locked out, even the domain join was successful. Can someone help me with this issue? We have 1 UTM and 3 domain controllers. UTM has the newest FW version and the servers are Windows Server 2012 R2.

I found one post of someone that has the exact same issue but unfortunately without an answer (http://www.edugeek.net/forums/internet-related-filtering-firewall/158208-sophos-utm-authentication-problem.html ):

Came in this morning and users were reporting "Access Denied Authentication Failed" messages. All was fine when I went home on Friday.
Untitled.png
Been speaking to Sophos tech support but getting nowhere fast and feel like I'm telling them more than they are telling me!

My understanding is that the authentication is a chain of 3. Client Computer sends Kerberos key for users login credentials > UTM checks these against AD > AD server

My 1st checks were between UTM and server
1, Restart UTM
2, Re-join UTM to domain under single sign-on tab (successful)
3, Goto Authentication servers, select DC's and do an "Authenticate example user" test (successful) 
4, check the user is being filtered correctly in web protection>policy help desk (all correct)
5, flush authentication cache
6, One thing I did notice was our webfiltering authentication mode is set to transparent (no username or password box prompt) but our default authentication was set to none. I have since changed this to Active Directory SSO but still no luck. can anyone confirm what this should be as I hadn't changed it and it was set to none?
~

My Next checks were between Computer and UTM
1, Check proxy settings. (All correct and the authentication error would not appear if computer could not contact UTM, it would be page cannot be displayed)
2, check UTM logs for the machine

2015:08:24-11:32:35 proxy01-2 httpproxy[6376]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="192.168.3.7" dstip="" user="" ad_domain="" statuscode="407" cached="0" profile="REF_HttProContaManagLan3 (AD auth Computers)" filteraction=" ()" size="0" request="0xe5742000" url="http://kzufjwvz/" referer="" error="" authtime="130" dnstime="0" cattime="0" avscantime="0" fullreqtime="200" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36" exceptions=""

The user and domain parts are blank so the UTM is not receiving these from the machine.

3, restarted machine, no luck
4, run klist purge, no luck

any ideas?

 


Maybe someone of you can help me? I already tried opening tickets at sophos support but unfortunately no one could help me. Thank you in advance and best regards,

Chris



This thread was automatically locked due to age.
Unfiltered HTML