This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
Parents Reply Children
  • Does that use NTLM or Kerberos for authentication?  I have a feeling using IP to connect to our proxy is using NTLM which fails.

  • I am running transparent also but specify a FQDN proxy server on the session host servers as transparent don't work on machines with multiple users. None of them work with authentication now.

    I am running in transparent mode now without authentication till this blows over, just to be protected from malware at least, but computers/users that should not have full internet access are now not filtered out.

    Still I only have myselft to blame. Should now better than to trust an update right after release. I have had a lot of problems earlier with updates.

    When we first went for a Sandstorm license 1,5 years ago it went a whole 6 months !! Before Sandstorm started Working.

    Reason I found out it was not working was that we got a hit by ransomeware. The file should have been stopped. Before this I had asked support two times if there was anything wrong it did not seem right to me. It did not detect anything. Sophos support said this was normal.

    After a two month long service ticket and probably the tenth time they tried to fix it they finally said that now it was fixed. No explanation and no reimbursement for the 6 months without a functioning product.

    Don't really know why we still are using Sophos appliances. But I still like the product :) We came from Forefront TMG  when that went out of support.

    Lesson learned. Wait, wait, wait before applying updates.

    Still Sophos could be more present and admit they have issues when they clearly do.

  • Kerberous i think but at this point I am a bit fried. Looking at logs all day while being shouted out by users and trying to do other work is doing my head in

    Our macs are working with the agent

    Wireless stuff is working through hotspots 

    It is just the PCs that wont pass the authentication through although every now and then some do work.  This is after the patch - 3rd line support are now looking at it..

    If we get to the end of the day with no resolution I will fire up a new VM on some older firmware and try restoring.  Nothing to lose at this point.

  • We were also a TMG shop, I was lamenting it demise yesterday!

     

    If you run setspn -l <UTM-Hostname> does it list the FDQN you are using to connect to the proxy?  Also on the client does KList show a ticket for the FQDN for the proxy?

  • Setspn gives message "could not find account".

    No ticket listed

  • Is the machine Domain joined?

  • Yes same message on both 2016 and 2012R2 session host servers.

    Only reason they have internet now is because I disabled "block users that fail to authenticate"

    This network is set to use transparent proxy

  • Sorry is the UTM domain joined?

  • Should be and it says that it is. But thats the problem. Keeps disconnecting :) have not done a rejoin today. Did yesterday

  • Oorsti, have you tried adding a cron job to do this every morning?  See Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA