SFOS 16.05.6 MR-6 Broken STAS?

Hi All,

 

We have an XG 230 that I upgraded the firmware on. Since then users are getting the authentication pop up from the XG where others are fine.

Rebooting their PC fixes some so it might lead to a fresh login event fixing it. The Firewall shows them logging in but then logging out and then I get a Authentication fail.

Seems STAS is working for many but randomly fails others since the Firmware update.

I run two DCs with STAS enabled (Latest version of STAS) and I can see live users active yet others not. The inactivity time outs are set high so they would need to walk away for a few hours to be timed out.

EDIT: I disabled the Inactivity time out but still have the issue.

  

The logs just show NTML Client failed to Authenticate

Anyone else having this issue?

 

 

Edit: I can see a few others having the same since the update so I will roll back my Firmware for now until a fix is released.

  • In reply to Ian Melton:

    Ian Melton

    Yeah mine is similar.

    If I open STAS Collector on my Server 2008 R2 box I can only see two live users - The XG reports 162 live users right now.

    The server 16 STAS has no live users

     

     

    I see lots of errors in the Event Log regarding unable to connect to host to run WMI probes. Since I've altered the security I see less events but at lease the ones that are there are genuine connection refusals. Ive had to add the STAS user account to DCOM group in a GPO to get this thing to stabilise. 

    No doubt as a result of MS updates tightening security from ransomware exploits, this has all gone to hell in a hand basket. Ironically STAS auth utilises the same methods the worms use to infiltrate networks.

  • In reply to Kara Thrace:

    I see plenty of these:

     

    wrkstpoll_workerthread_wmi: couldnt connected to WMI Namespace '\\192.168.8.94\root\cimv2': 0x800706ba

     

    But users are still getting access via the Proxy so not sure its actually effecting anything.

    Not a fan of STAS - I would rather it be like the SG and connect it to AD directly

  • In reply to Ian Melton:

    Ian Melton

    I see plenty of these:

     

    wrkstpoll_workerthread_wmi: couldnt connected to WMI Namespace '\\192.168.8.94\root\cimv2': 0x800706ba

     

    But users are still getting access via the Proxy so not sure its actually effecting anything.

    Not a fan of STAS - I would rather it be like the SG and connect it to AD directly

     

    Might have agreed with you before I came across this thread: https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/93029/after-updating-to-9-501-5-sso-for-http-authentication-failed-and-domain-join-not-working#pi2151=1

  • In reply to Bill Roland:

    Doesn't apply in my case. Without STAS, clients auth using NTLM but user based rule sets are applied sparsely. Most not being applied. I had to set up a catch all rule to allow access so effectively security was out the window. With STAS working, rule sets are obeyed.

  • In reply to Kara Thrace:

    Hi all,

    also in my setup after update from Mr5 to MR6 STAS start to work very bad.

    DC is on windows 2008R2

    we user WMI polling method, no logoff detection and "0" as dead entry timeout.

    All connection test says "ok" but user authentication, after some hour after reboot of sophos xg stop to work.

    Le STAS suite was also updated to 2.2.10

  • In reply to Bill Roland:

    Mmmm not good.

     

    Will remain on MR-5 on XG as its stable at present and STAS works

  • Hello,

    I have the exactly the same problem on 2 XG 210.

    Moreover, STAS authentication stops working with this update but SATC too on my Citrix and RDS Servers !!!

    I rollback to the MR5 version which has working immediatly after reboot on both.

     

    Rergards.

  • In reply to FrançoisMORANO:

     

    some users here report the issue with STAS on MR6. Could you contact some of them and get logs/tickets? Maybe it is a bug.

    Let us know.

    Thanks

  • In reply to lferrara:

    This from Sophos Support:

     

    Just to provide you an update, we have a bug ticket raised for the MR-6 and STAS issues: NC-20817

    This is already being investigated. 

  • In reply to Ian Melton:

    Hi Ian,

    Please check if the "Domain User" group is imported in the XG, Authentication | groups. My suggestion is to remove this group and verify.

    Thanks

  • In reply to sachingurung:

    And why is removing Domain Users group the solution? I will try it but I too and seeing random disconnects despite having turned off inactivity timers, lengthening timeouts etc. Nothing seems to make a difference. Happy to try it if its going to resolve these auth issues.

  • In reply to sachingurung:

    I don't have the Domain User group being imported now.