This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
Parents
  • Keep getting new customers reporting http authentication problems. It does not seem to be a global issue thought, since some of them, with the latest up2date, are not experience this.

     Support just told me that there is no available WA and the only option for the time being (besides re-joining) would be to downgrade [:(]

  • The problem is that we cannot downgrade to 9.500. This version has no issues...

    Someone @Sophos: Is ther any chance for you to release again the 9.500 in the up2date ftp server?

  • Hi, Thomas, and welcome to the UTM Community!

    Have you tried a cronjob as suggested in Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5?

    To do this every morning at 7AM add the following line to /etc/crontab-static (substitute with your credentials):

    0 7 * * * root /usr/local/bin/confd-client.plx ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5

    After that, you need to make the system rebuild /etc/crontab.  In 'Management > Up2Date' change the 'Firmware Download Interval', [Apply], change it back and [Apply].

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • thx  ;)

     

    Today is day ?? still no answer/solution from sophos

     

  • Hi Bob

    Is there anyway to fully automate this work-around?

    After the UTM domain re-join, I've found that some users still cannot access the internet using chrome until they reboot.

    Thanks

     

    Mark

  • I used BAlfson's solution

    started the cron Job at 5AM

    No Problems until now

     

  • Hi!

    Same here: Some users have to reboot after Domain-Re-Join.

    TJ

  • Hi Bob,

    we are having the same issue. Authentication gets lost and we have to manually rejoin the utm. Then it works.

    Yesterday i followed the above instructions and edit the crontab-static and after rebuild the entry was found in the crontab as expected. After that i did a reboot just to see if authentication still works (assuming that a reboot would break ad sso authentication and the crontab will handle it). AD Authentication worked fine after reboot.

    This morning the ad sso authentication was broken again. I just looked at the crontab and the line

    0 7 * * * root /usr/local/bin/confd-client.plx ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5

    was gone. Am i missing something? I'm fairly new to sophos, but the changes made to the utm were clear and pretty straight forward for me.

    we are using 2 sg230 in an active / passiv mode, running 9.414-2.

    Dennis

  • Dennis, /etc/crontab gets overwritten often - you must add that line in /etc/crontab-static and it will then be included in crontab when you make any change in WebAdmin that affects a cronjob.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That's what i did. I add the line in the crontab-static, then made changes to the webadmin and the crontab was updated. Today both, the /etc/crontab-static and etc/crontab were missing the line i added yesterday. All i did was the reboot. Is it possible, that the changes made interfere with the acticv-passive cluster?

     

    Dennis

  • In HA, changes at the command line must be made to both devices.  Apparently, you're now working on what was the Slave when you changed /etc/crontab-static.  Just do the same thing on the current Master and you'll be good to go on either device.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    i followed your advice two weeks ago but things didn't get better. The ad sso connection got lost some time at night so i had to rejoin every morning for about two weeks. For some reason it worked on two different days, but please don't ask me why.

    So i did update my ha cluster last thursday to version 9.502-4 and rejoined ad sso. Since then, the ad sso authentication works like a charme :-)

     

    On the other hand i have an error and i'm not sure if it's related to the updade or if i'm just to blind to see:

    If i try to connect to www.pkf.de, the site will always be blocked (blocked categorie Business). I'm quite sure that this external domain worked before. The strange thing is, looking at the web filter live protocol, calling this single domain is always without an valid ad user and therefore blocked. Every other domain from the same browser will be connected with an valid ad-user.

    2017:07:31-16:55:13 hhs050utm-2 httpproxy[7986]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="xx.xx.xx.xx" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="85887" request="0xcdccc00" url="http://www.pkf.de/" referer="" error="" authtime="0" dnstime="0" cattime="46375" avscantime="0" fullreqtime="47510" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" exceptions="auth,mime,application,fileextension,size" category="105" reputation="neutral" categoryname="Business" reason="category"

    This domain is whitelisted and has an exception for ^https?://([A-Za-z0-9.-]*\.)?pkf\.de/  and ^http?://([A-Za-z0-9.-]*\.)?pkf\.de/ with every single option activated. IPS has been deactivated for testing purposes.

    I also have the following error when clicking on the blue exclamation mark on almost every exception rule:

    Can't use string ("0") as an ARRAY ref while "strict refs" in use at /wfe/asg/modules/asg_misc.pm line 727.

    I don't know if there is an context to the first error, but as far as i can see i have to either rebuild the database (at least in a single device environment) or to do a factory reset with a restore.

     

    Any ideas on this?

    Dennis

     

     

     

Reply
  • Hi Bob,

    i followed your advice two weeks ago but things didn't get better. The ad sso connection got lost some time at night so i had to rejoin every morning for about two weeks. For some reason it worked on two different days, but please don't ask me why.

    So i did update my ha cluster last thursday to version 9.502-4 and rejoined ad sso. Since then, the ad sso authentication works like a charme :-)

     

    On the other hand i have an error and i'm not sure if it's related to the updade or if i'm just to blind to see:

    If i try to connect to www.pkf.de, the site will always be blocked (blocked categorie Business). I'm quite sure that this external domain worked before. The strange thing is, looking at the web filter live protocol, calling this single domain is always without an valid ad user and therefore blocked. Every other domain from the same browser will be connected with an valid ad-user.

    2017:07:31-16:55:13 hhs050utm-2 httpproxy[7986]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="xx.xx.xx.xx" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="85887" request="0xcdccc00" url="http://www.pkf.de/" referer="" error="" authtime="0" dnstime="0" cattime="46375" avscantime="0" fullreqtime="47510" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" exceptions="auth,mime,application,fileextension,size" category="105" reputation="neutral" categoryname="Business" reason="category"

    This domain is whitelisted and has an exception for ^https?://([A-Za-z0-9.-]*\.)?pkf\.de/  and ^http?://([A-Za-z0-9.-]*\.)?pkf\.de/ with every single option activated. IPS has been deactivated for testing purposes.

    I also have the following error when clicking on the blue exclamation mark on almost every exception rule:

    Can't use string ("0") as an ARRAY ref while "strict refs" in use at /wfe/asg/modules/asg_misc.pm line 727.

    I don't know if there is an context to the first error, but as far as i can see i have to either rebuild the database (at least in a single device environment) or to do a factory reset with a restore.

     

    Any ideas on this?

    Dennis

     

     

     

Children
  • Problem solved....

    I turned off ha, removed the slave node (back to factory reset) and rebuld the database on the old master. Everything is working again as expected so far. Then turned on ha again.

     

    :-)

    Dennis

  • So does anyone know if there is a valuable workaround for this or a working fix to solve the problem? does not hear anything from sophos regarding this...

  • What issues are you still having?  Is it just the authentication issues or other issues that seem to be tied to it like random sites that time out or cant get to?

  • Authentication Issues, i synced my webproxy with my DC, joined the UTM to the Domain. today my User is browsing the Internet without problems, tomorrow it doesn't work unless i do an rejoin of the UTM to the domain. this problems occur on several UTMs i manage since the update on 9.501

    it is pretty annoying and my customers are losing patience on this...

  • And why aren't you update to 9.502 where these problems had been solved?

    Or have O missed some infoformation?

    Best

    Alex

    -

  • already updated to 9.502, rejoined the UTM to the domain, deleted the computeraccount from AD, rejoined again, made sure the sync beetween the DCs is working properly.

    it's not working at all.... any suggestions?

  • Maybe one thing i experienced yesterday. After AD SSO was running fine since upgrading to 9.502-4, i have had activited DNSSEC yesterday afternoon.  After to two hours i received the following warning mail:

    There was an error synchronizing subscribed groups. The Sophos UTM will continue to operate with a locally cached copy of the data but will be unable to update from Directory Services until the issue is resolved.

    Error was:

    -   failed to run samba command on DOMAIN, exiting now

    In the protocol view - system events - i found a lot of the following entries:

    - 2017:08:02-16:10:49 hhs050utm-1 dns-resolver[13992]: DNS server failed to contact!

    Then i deactivated DNSSEC again and everything was fine again.

    I had the error "failed to run samba ...." in the past when ad sso authentication got broken. Since i have rebuild my database i am not able to check deeper if there was an similar error context before.

    Dennis



     

           

  • I am in the same boat. I called sophos support multiple times and no one even mentioned rejoining the domain. They did not mention anything from this forum.  Things work for a bit then no one can access anything. A reboot of both UTMs in the HA are necessary and this fixes it for a short time most of the time but the issue has been present every day since we ran these updates. I am at the latest update also. 9.502 -4

     

    Very disappointed with our new sophos utms since the update.  School is about to start and we will have 10,000 people here all with struggling internet connections because of this update.