Windows server 2012 domain controller.
I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.
Can get to Google.ca
Cannot get to canada411.com - Too many http redirects message.
Turned off web filtering and the websites were available - but the client requires filtering.
Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.
Attempted to remove from and rejoin domain, but domain join failed.
Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.
this fix works only temporary.
- removed AD Object
- removed Sophos UTM from Domain
- sync all DC´s
- rejoin Sophos
--> this worked for ~ 8 hours, this morning, same issue again.
It looks like that it has something todo with Kerberos.
- After Update the deployment of wpad.dat via NAT Rule (Port 80) is no longer working at the internal interface. I had to create an additional Interface and then NAT from Port 80 to 8080 on the other interface.
Sophos: Please fix these issues and better: test SSO / Kerberos before announcing a new Update.
This might be a silly question, but how do I remove from AD domain?
In single sign on tab I can only join the domain.
Thank you very much
i had the same Problem before. What i did:
type some bullshit for
and hit "Join Domain"
after this, the Sophos tells me it is no longer part of the Domain
Then i deleted the Computer Account inside the AD Domain
For now it's working.
The worst part of this is... I can't restore to previous version 9.500-9 no matter what.. at least until sophos fix this issue.
45 minutes and authentication issue back again.
Now anyone.... I can i restore to previous version? Using restore function in web interface does not working
You can find the procedure here:
According to another, recent post, it's no longer required to unjoin the UTM from the domain and delete the Account in AD - just enter valid credentials and Join again.
EDIT an hour later: Also, note the command line trick.
Cheers - Bob
do you have any idea why the UTM looses the kerberos tickets ? It looks like that the key renewal is not working.
I joined the UTM this morning and all authentications are woking.
maybe a script willhelp ? Or: do you know the process which renews ?
I hadn't thought to look for it until you asked, Martin. The following is a fictitious example:
cc ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5
DOMAIN.LOCAL - Active Directory domain nameadminbob - Administrative username in ADG3d0utahere! - Password in AD for adminbob172.16.1.5 - IP Address of Domain controller
That can take awhile depending on your hardware and connection. A result of 1 means the join was successful, 0 means it failed.
If you want to do that in a cron job, use /usr/local/bin/confd-client.plx instead of cc.
We have adjusted the KBA to include your suggestions. Thank you for all the input you have made on this issue!
Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5
It's a shame that you did not pull the up2date seeing as you have known about this for a while.
We applied the update on friday and then on Saturday we had the problem.
I tried searching for the actual error that you get in the log
but your kb article https://community.sophos.com/kb/en-us/126819 doesn't actually include the error! so I was unable to find it.
Please can you update it to include this information.
It is nice to see that you tweeted about this on Saturday, (something I have complained about the lack of in the past) but by then it was too late!