This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
Parents
  • Hi all,

    this fix works only temporary.

     

    - removed AD Object

    - removed Sophos UTM from Domain

    - sync all DC´s

    - rejoin Sophos

    --> this worked for ~ 8 hours, this morning, same issue again.

    It looks like that it has something todo with Kerberos.

     

    Additional finding:

    - After Update the deployment of wpad.dat via NAT Rule (Port 80) is no longer working at the internal interface. I had to create an additional Interface and then NAT from Port 80 to 8080 on the other interface.

     

    Sophos: Please fix these issues and better: test SSO / Kerberos before announcing a new Update.

     

    Regards

    Martin

Reply
  • Hi all,

    this fix works only temporary.

     

    - removed AD Object

    - removed Sophos UTM from Domain

    - sync all DC´s

    - rejoin Sophos

    --> this worked for ~ 8 hours, this morning, same issue again.

    It looks like that it has something todo with Kerberos.

     

    Additional finding:

    - After Update the deployment of wpad.dat via NAT Rule (Port 80) is no longer working at the internal interface. I had to create an additional Interface and then NAT from Port 80 to 8080 on the other interface.

     

    Sophos: Please fix these issues and better: test SSO / Kerberos before announcing a new Update.

     

    Regards

    Martin

Children
  • This might be a silly question, but how do I remove from AD domain?

    In single sign on tab I can only join the domain.

     

    Thank you very much

  • Hi,

    i had the same Problem before. What i did:

    type some bullshit for

    DOMAIN

    Username

    Password 

    and hit "Join Domain" 

    after this, the Sophos tells me it is no longer part of the Domain

    Then i deleted the Computer Account inside the AD Domain

  • Thank you

    For now it's working.

     

    The worst part of this is... I can't restore to previous version 9.500-9 no matter what.. at least until sophos fix this issue.

     

    JP

  • Hello,

    I have this problems in the fallback.log, when i restart the winbind deamon und the Webproxy it is running

     

    017:06:14-08:06:31 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:54.730590,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:54.752101,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:54.771175,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:54 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:55.248664,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:55.269122,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:06:55.287084,  0] libsmb/cliconnect.c:1865(cli_session_setup_spnego)
    2017:06:14-08:06:55 a-sophos-2 [daemon:err] winbindd[7738]:    Kinit failed: Preauthentication failed
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7736]:  [2017/06/14 08:10:32.876805,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7736]:    Got sig[15] terminate (is_parent=1)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8569]:  [2017/06/14 08:10:32.876904,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8569]:    Got sig[15] terminate (is_parent=0)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8570]:  [2017/06/14 08:10:32.877241,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7738]:  [2017/06/14 08:10:32.877780,  0] winbindd/winbindd.c:212(winbindd_sig_term_handler)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[7738]:    Got sig[15] terminate (is_parent=0)
    2017:06:14-08:10:32 a-sophos-2 [daemon:err] winbindd[8570]:    Got sig[15] terminate (is_parent=0)
    2017:06:14-08:10:33 a-sophos-2 [daemon:err] winbindd[8595]:  [2017/06/14 08:10:33.016423,  0] winbindd/winbindd_cache.c:3169(initialize_winbindd_cache)
    2017:06:14-08:10:33 a-sophos-2 [daemon:err] winbindd[8595]:    initialize_winbindd_cache: clearing cache and re-creating with version number 2

    Br McWolle

    Sophos Certified Engineer (SCE)
    Sophos Certified Architect (SCA)

  • 45 minutes and authentication issue back again.

    Now anyone.... I can i restore to previous version? Using restore function in web interface does not working

     

    Thanks

  • According to another, recent post, it's no longer required to unjoin the UTM from the domain and delete the Account in AD - just enter valid credentials and Join again.

    EDIT an hour later: Also, note the command line trick.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    do you have any idea why the UTM looses the kerberos tickets ? It looks like that the key renewal is not working.

    I joined the UTM this morning and all authentications are woking.

    maybe a script willhelp ? Or: do you know the process which renews ?

     

    Cheers

    Martin

  • I hadn't thought to look for it until you asked, Martin.  The following is a fictitious example:

    cc ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5

    DOMAIN.LOCAL - Active Directory domain name
    adminbob - Administrative username in AD
    G3d0utahere! - Password in AD for adminbob
    172.16.1.5 - IP Address of Domain controller

    That can take awhile depending on your hardware and connection.  A result of 1 means the join was successful, 0 means it failed.

    If you want to do that in a cron job, use /usr/local/bin/confd-client.plx instead of cc.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • FormerMember
    0 FormerMember in reply to BAlfson

    Hello Bob, 

    We have adjusted the KBA to include your suggestions. Thank you for all the input you have made on this issue!

    Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5