This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
Parents Reply
  • Hi Bob,

    we are having the same issue. Authentication gets lost and we have to manually rejoin the utm. Then it works.

    Yesterday i followed the above instructions and edit the crontab-static and after rebuild the entry was found in the crontab as expected. After that i did a reboot just to see if authentication still works (assuming that a reboot would break ad sso authentication and the crontab will handle it). AD Authentication worked fine after reboot.

    This morning the ad sso authentication was broken again. I just looked at the crontab and the line

    0 7 * * * root /usr/local/bin/confd-client.plx ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5

    was gone. Am i missing something? I'm fairly new to sophos, but the changes made to the utm were clear and pretty straight forward for me.

    we are using 2 sg230 in an active / passiv mode, running 9.414-2.

    Dennis

Children
  • Dennis, /etc/crontab gets overwritten often - you must add that line in /etc/crontab-static and it will then be included in crontab when you make any change in WebAdmin that affects a cronjob.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That's what i did. I add the line in the crontab-static, then made changes to the webadmin and the crontab was updated. Today both, the /etc/crontab-static and etc/crontab were missing the line i added yesterday. All i did was the reboot. Is it possible, that the changes made interfere with the acticv-passive cluster?

     

    Dennis

  • In HA, changes at the command line must be made to both devices.  Apparently, you're now working on what was the Slave when you changed /etc/crontab-static.  Just do the same thing on the current Master and you'll be good to go on either device.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    i followed your advice two weeks ago but things didn't get better. The ad sso connection got lost some time at night so i had to rejoin every morning for about two weeks. For some reason it worked on two different days, but please don't ask me why.

    So i did update my ha cluster last thursday to version 9.502-4 and rejoined ad sso. Since then, the ad sso authentication works like a charme :-)

     

    On the other hand i have an error and i'm not sure if it's related to the updade or if i'm just to blind to see:

    If i try to connect to www.pkf.de, the site will always be blocked (blocked categorie Business). I'm quite sure that this external domain worked before. The strange thing is, looking at the web filter live protocol, calling this single domain is always without an valid ad user and therefore blocked. Every other domain from the same browser will be connected with an valid ad-user.

    2017:07:31-16:55:13 hhs050utm-2 httpproxy[7986]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="xx.xx.xx.xx" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="85887" request="0xcdccc00" url="http://www.pkf.de/" referer="" error="" authtime="0" dnstime="0" cattime="46375" avscantime="0" fullreqtime="47510" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" exceptions="auth,mime,application,fileextension,size" category="105" reputation="neutral" categoryname="Business" reason="category"

    This domain is whitelisted and has an exception for ^https?://([A-Za-z0-9.-]*\.)?pkf\.de/  and ^http?://([A-Za-z0-9.-]*\.)?pkf\.de/ with every single option activated. IPS has been deactivated for testing purposes.

    I also have the following error when clicking on the blue exclamation mark on almost every exception rule:

    Can't use string ("0") as an ARRAY ref while "strict refs" in use at /wfe/asg/modules/asg_misc.pm line 727.

    I don't know if there is an context to the first error, but as far as i can see i have to either rebuild the database (at least in a single device environment) or to do a factory reset with a restore.

     

    Any ideas on this?

    Dennis

     

     

     

  • Problem solved....

    I turned off ha, removed the slave node (back to factory reset) and rebuld the database on the old master. Everything is working again as expected so far. Then turned on ha again.

     

    :-)

    Dennis

  • So does anyone know if there is a valuable workaround for this or a working fix to solve the problem? does not hear anything from sophos regarding this...

  • What issues are you still having?  Is it just the authentication issues or other issues that seem to be tied to it like random sites that time out or cant get to?

  • Authentication Issues, i synced my webproxy with my DC, joined the UTM to the Domain. today my User is browsing the Internet without problems, tomorrow it doesn't work unless i do an rejoin of the UTM to the domain. this problems occur on several UTMs i manage since the update on 9.501

    it is pretty annoying and my customers are losing patience on this...

  • And why aren't you update to 9.502 where these problems had been solved?

    Or have O missed some infoformation?

    Best

    Alex

    -

  • already updated to 9.502, rejoined the UTM to the domain, deleted the computeraccount from AD, rejoined again, made sure the sync beetween the DCs is working properly.

    it's not working at all.... any suggestions?