Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 4633 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot establish NTLM authentication channel with XXXX

Scott Doty

Greetings,


Please bear with me:

We are getting the above message in our FW logs. I have verified the following things thus far:

Users can login to the VPN and validate w/o issue and w/o the captive portal.

The FW logs show all user activity for login/logout.

AD SSO is enabled.

STAS was also being used, but in troubleshooting this I have turned it off. Same results and all users are working fine.

FQDN is being used for the AD servers and connection test passes

-------------------- What issue I still have -----------------

I am still getting the 'Cannot establish NTLM authentication channel with <domain> error in the authentication logs, despite it seemingly authenticating everyone that is logging into the VPN. STAS is disabled and only AD SSO is enabled. I've gone through a large part of the troubleshooting steps from this article:

doc.sophos.com/.../index.html

However when I get to the step /oss/klist -e -k /tmp/krb5.keytab I get a permission denied error. (Also, it's not /oss/klist, it is oss/klist  as oss is a subdir of nasm.

so I cannot go further in that test.

We are running 19.5.2 MR2-Build624, Model SG330

Any suggestions?



This thread was automatically locked due to age.
Parents
  • +1

    What is not mentioned in the Sopohs docs (but essential for auth):

    You also have to add in the DNS request route settings your domain with your domain controller -> otherwise "Cannot establish NTLM authentication channel with <domain> error"

  • 0 in reply to Quallensaft

    Finally an answer that wasn't a critique or questioning of my configuration, and you know what, it worked! This resolved my issues. Thank you so very much!

  • 0 in reply to Scott Doty

    Oops - well almost fixed it! It now runs as a failure, then it does the same as a success a minute later and just keeps vacillating between the two states.

    2023-10-19 07:32:34Authenticationmessageid="17945" log_type="Event" log_component="AD SSO" log_subtype="Authentication" status="Failed" user="" user_group="" client_used="" auth_mechanism="" reason="" src_ip="XXX.XXX.XXX.54" message="Cannot establish NTLM authentication channel with XXXXXXX" name="" src_mac=""

    2023-10-19 07:33:09Authenticationmessageid="17945" log_type="Event" log_component="AD SSO" log_subtype="Authentication" status="Successful" user="" user_group="" client_used="" auth_mechanism="" reason="" src_ip="XXX.XXX.XXX.54" message="NTLM authentication channel established successfully with XXXXXX" name="" src_mac=""

    2023-10-19 07:34:51Authenticationmessageid="17945" log_type="Event" log_component="AD SSO" log_subtype="Authentication" status="Failed" user="" user_group="" client_used="" auth_mechanism="" reason="" src_ip="XXX.XXX.XXX.54" message="Cannot establish NTLM authentication channel with XXXXXXX" name="" src_mac=""

    Halfway there!

Reply
  • 0 in reply to Scott Doty

    Oops - well almost fixed it! It now runs as a failure, then it does the same as a success a minute later and just keeps vacillating between the two states.

    2023-10-19 07:32:34Authenticationmessageid="17945" log_type="Event" log_component="AD SSO" log_subtype="Authentication" status="Failed" user="" user_group="" client_used="" auth_mechanism="" reason="" src_ip="XXX.XXX.XXX.54" message="Cannot establish NTLM authentication channel with XXXXXXX" name="" src_mac=""

    2023-10-19 07:33:09Authenticationmessageid="17945" log_type="Event" log_component="AD SSO" log_subtype="Authentication" status="Successful" user="" user_group="" client_used="" auth_mechanism="" reason="" src_ip="XXX.XXX.XXX.54" message="NTLM authentication channel established successfully with XXXXXX" name="" src_mac=""

    2023-10-19 07:34:51Authenticationmessageid="17945" log_type="Event" log_component="AD SSO" log_subtype="Authentication" status="Failed" user="" user_group="" client_used="" auth_mechanism="" reason="" src_ip="XXX.XXX.XXX.54" message="Cannot establish NTLM authentication channel with XXXXXXX" name="" src_mac=""

    Halfway there!

Children
No Data
Unfiltered HTML