Background: A few months ago we have started at last to begin a migration from Win2003 AD servers to Win2012 AD servers. So far, we have only added one single Win2012 AD to our structure. "Everything" is still set to work with the old server, i.e., the old server still has the FSMO roles and the single sign on server used by UTM (version 9.309-3) is also the good old Win2003 one. Nevertheles, when we rebooted the new server once last week, AD SSO immediately stopped working and we could not get it operational ever since.
My immediate reaction was to allow the Default Web Filter Profile for all internal IPs in transparent mode and disable the custom (AD group based) profile.
To start debugging, I reenabled the custom profile restricted to test machines. And this is what happens:
The user is prompted with a login dialog ("Authentication required") and even when entering correct credentials, the dialog just keeps popping up again. Until the user hits cancel in that dialog and is presented the "Authentication failed" message.
The policy tool (Web protection -> policy information -> policy test) shows that the rules themselves work fine, i.e., the test results actually depends in the expected way on the AD groups the username entered belongs to.
Testing the credentials against the one and only auth server (under Definitions & Users -> authentication services -> server -> edit) also works fine ("Authentication test passed" and AD groups displayed).
However, I see no sign of the failing attempts at all in the logs (maybe I look at the wrong ones - http.log and aua.log?).
I already re-added the UTM into AD, without success.
What can be done?
This thread was automatically locked due to age.
