Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 10489 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory SSO Problems

PMIAdmin

We have our Web Filter Profiles setup to use Active Directory SSO authentication.  This has been working fine for a while.  Recently, users have sporadically not been able to access websites.  Examining the logs shows that the users are not being authenticated.  To troubleshoot I started by opening the Servers tab under Authentication Services and verifying the AD server connection.  Opening the server and clicking "Test" for Test Server Settings gives the following error message "Error: Server exists and accepts connections, but bind to ldap://x.x.x.x:389 failed with this Bind DN and Password."  If I enter the password again for the Bind DN and click "Test" the server test passes.  Now, when I click "Save" and then go back into the server and click on "Test" again I get the same error message as before.  The Bind DN we have been using for years is in the following format: CN=user,CN=Users,DC=domain,DC=com.  I have tried switching to: user@domain.com and get the same results.  Any ideas?



This thread was automatically locked due to age.
  • 0

    Hi,

    are u using NTLM or Kerberos?

    If NTLM, check if NTLM authentication is enabled (AD / PCs).

    Local Security Policy --> Security Settings --> Local Policies --> Security Options --> Network Security --> LAN Manager authentication level = Send LM & NTLM - use NTLM2 session security if negotiated

  • 0

    The Test-Button is actually broken. The functionality is not affected as far as I know (Test for example with AD-User Prefetch).

    Please see this thread: https://community.sophos.com/products/unified-threat-management/f/general-discussion/83465/bug-with-ad-connection-9-408-4

    It's already ticketed with Sophos Support (NUTM-5888).

    Is this Standard-Mode or Transparent?

    If Standard-Mode, do you use the FQDN of your UTM in Internet Explorer Proxy-Settings?

    Regards,

    Thorsten

    ---------------------------------------------------------------------

    Using Sophos XG or UTM with Wifi Hotspot and Password of the Day?
    Try our FREE Password of the Day APP!

    For Sophos UTM
    Apple iOS: https://apple.co/1YzD2vU
    Google Android: https://bit.ly/23ELyRq    		 For Sophos XG
    Apple iOS: https://appsto.re/de/aZjTdb.i
    Google Android: https://bit.ly/2bbimf1
  • 0 in reply to ThorstenSeiler

    Thank you both for the assistance.

    Our web filter policies are using Transparent mode with AD SSO.  I'm assuming this setup is using Kerberos.  After investigating further it does appear that the authentication is working most of the time, but then sporadically it will stop working for random users (not all) for an hour or longer.  I have tried clearing the authentication cache but that did not work.  I have had to create a "base" policy which is more open than I would like to allow continued browsing when the AD SSO stops working so web access is not completely blocked.

    Regards,

    Mike

  • 0 in reply to PMIAdmin

    Mike, I wonder if you aren't having issues on your server with Kerberos - have you looked at the logs there?  If Kerberos doesn't respond to an auth request, the UTM tries NTLMv1 = is that enabled on your server?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I will have to enable Kerberos logging, our DCs are Server 2008.  LAN Manager authentication level on our DCs is set to "Send NTLM response only".  Should we change that to "Send LM & NTLM - use NTLMv2 session security if negotiated"?

     

    Regards,

    Mike

  • 0 in reply to PMIAdmin

    I would , Mike, even though the UTM does not yet do NTLMv2.  When I hear of similar problems, it's because auth is occurring via NTLM, that's why I wanted you to make sure Kerberos was running and that it was processing auth requests.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML