This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
Parents
  • No problems seen with 9.500 regarding WebProxy and AD SSO. Updated two days ago to 9.501.

    Windows Server 2016 Environment, fully patched. Windows 10 Client, fully patched.

    After updating to 9.501 first no problems, some hours later already mentioned problems with HTTP Proxy and AD SSO. Tried some things, changing password of AD user having problems, and last but not least unjoined UTM, kept AD computer account, rejoined, rebooted. Everything worked for a couple of hours then the same problem occurs. I tried this with Firefox (52.2.0 ESR), Chrome (58.0.3029.110) and IE 11.

    Some minutes ago, I just tried to rejoin without unjoining first, doesn't help.

    In all cases this is logged in the WebProxy log:

    2017:06:20-07:50:16 bifroest httpproxy[21852]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xe6fc0400" function="adir_auth_process_negotiate" file="auth_adir.c" line="1636" message="gss_accept_sec_context: Key version number for principal in key table is incorrect"

    Flushing authentication cache, manual resync of AD group memberships doesn't help.

    I think the UTM doesn't renew its Kerberos ticket. Corresponding log on a DC that network preauthentication failed for UTM-Name$ account.

     

    Fehler bei der Kerberos-Vorauthentifizierung.

    Kontoinformationen:
        Sicherheits-ID:            <DOMAIN>\<ComputerAccountName>$
        Kontoname:                <ComputerAccountName>$

    Dienstinformationen:
        Dienstname:                krbtgt/<DOMAIN FQDN>

    Netzwerkinformationen:
        Clientadresse:               <UTM IP ADDRESS>
        Clientport:                33302

    Weitere Informationen:
        Ticketoptionen:            0x40000010
        Fehlercode:                0x18
        Typ vor der Authentifizierung:    2

    Zertifikatsinformationen:
        Zertifikatausstellername:       
        Seriennummer des Zertifikats:    
        Zertifikatfingerabdruck:       

    Zertifikatinformationen werden nur bereitgestellt, wenn ein Zertifikat zur Vorauthentifizierung verwendet wurde.

    Vorauthentifizierungtypen, Ticketoptionen und Fehlercodes sind in RFC 4120 definiert.

    Wenn das Ticket eine ungültige Form hat oder beim Transport beschädigt wurde und nicht entschlüsselt werden kann, sind viele Fehler dieses Ereignisses möglicherweise nicht vorhanden.

Reply
  • No problems seen with 9.500 regarding WebProxy and AD SSO. Updated two days ago to 9.501.

    Windows Server 2016 Environment, fully patched. Windows 10 Client, fully patched.

    After updating to 9.501 first no problems, some hours later already mentioned problems with HTTP Proxy and AD SSO. Tried some things, changing password of AD user having problems, and last but not least unjoined UTM, kept AD computer account, rejoined, rebooted. Everything worked for a couple of hours then the same problem occurs. I tried this with Firefox (52.2.0 ESR), Chrome (58.0.3029.110) and IE 11.

    Some minutes ago, I just tried to rejoin without unjoining first, doesn't help.

    In all cases this is logged in the WebProxy log:

    2017:06:20-07:50:16 bifroest httpproxy[21852]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xe6fc0400" function="adir_auth_process_negotiate" file="auth_adir.c" line="1636" message="gss_accept_sec_context: Key version number for principal in key table is incorrect"

    Flushing authentication cache, manual resync of AD group memberships doesn't help.

    I think the UTM doesn't renew its Kerberos ticket. Corresponding log on a DC that network preauthentication failed for UTM-Name$ account.

     

    Fehler bei der Kerberos-Vorauthentifizierung.

    Kontoinformationen:
        Sicherheits-ID:            <DOMAIN>\<ComputerAccountName>$
        Kontoname:                <ComputerAccountName>$

    Dienstinformationen:
        Dienstname:                krbtgt/<DOMAIN FQDN>

    Netzwerkinformationen:
        Clientadresse:               <UTM IP ADDRESS>
        Clientport:                33302

    Weitere Informationen:
        Ticketoptionen:            0x40000010
        Fehlercode:                0x18
        Typ vor der Authentifizierung:    2

    Zertifikatsinformationen:
        Zertifikatausstellername:       
        Seriennummer des Zertifikats:    
        Zertifikatfingerabdruck:       

    Zertifikatinformationen werden nur bereitgestellt, wenn ein Zertifikat zur Vorauthentifizierung verwendet wurde.

    Vorauthentifizierungtypen, Ticketoptionen und Fehlercodes sind in RFC 4120 definiert.

    Wenn das Ticket eine ungültige Form hat oder beim Transport beschädigt wurde und nicht entschlüsselt werden kann, sind viele Fehler dieses Ereignisses möglicherweise nicht vorhanden.

Children
No Data