This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to

Cannot get to - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.


Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.


This thread was automatically locked due to age.
Parents Reply
  • Hi Bob,

    do you have any idea why the UTM looses the kerberos tickets ? It looks like that the key renewal is not working.

    I joined the UTM this morning and all authentications are woking.

    maybe a script willhelp ? Or: do you know the process which renews ?




  • I hadn't thought to look for it until you asked, Martin.  The following is a fictitious example:

    cc ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere!

    DOMAIN.LOCAL - Active Directory domain name
    adminbob - Administrative username in AD
    G3d0utahere! - Password in AD for adminbob - IP Address of Domain controller

    That can take awhile depending on your hardware and connection.  A result of 1 means the join was successful, 0 means it failed.

    If you want to do that in a cron job, use /usr/local/bin/confd-client.plx instead of cc.

    Cheers - Bob

    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • FormerMember
    0 FormerMember in reply to BAlfson

    Hello Bob, 

    We have adjusted the KBA to include your suggestions. Thank you for all the input you have made on this issue!

    Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5

  • It's a shame that you did not pull the up2date seeing as you have known about this for a while.

    We applied the update on friday and then on Saturday we had the problem.

    I tried searching for the actual error that you get in the log

    Key version number for principal in key table is incorrect

    but your kb article  doesn't actually include the error! so I was unable to find it.

    Please can you update it to include this information.


    It is nice to see that you tweeted about this on Saturday, (something I have complained about the lack of in the past)  but by then it was too late!