This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
  • orrsti said:
    Don't really know why we still are using Sophos appliances.

     

    Same here.  I will be moving to Palo Alto as soon as my budget clears.  I'll have a pair of SG430s for sale at that point.

     

    -md

  • Hi Bob,

    i followed your advice two weeks ago but things didn't get better. The ad sso connection got lost some time at night so i had to rejoin every morning for about two weeks. For some reason it worked on two different days, but please don't ask me why.

    So i did update my ha cluster last thursday to version 9.502-4 and rejoined ad sso. Since then, the ad sso authentication works like a charme :-)

     

    On the other hand i have an error and i'm not sure if it's related to the updade or if i'm just to blind to see:

    If i try to connect to www.pkf.de, the site will always be blocked (blocked categorie Business). I'm quite sure that this external domain worked before. The strange thing is, looking at the web filter live protocol, calling this single domain is always without an valid ad user and therefore blocked. Every other domain from the same browser will be connected with an valid ad-user.

    2017:07:31-16:55:13 hhs050utm-2 httpproxy[7986]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="xx.xx.xx.xx" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="85887" request="0xcdccc00" url="http://www.pkf.de/" referer="" error="" authtime="0" dnstime="0" cattime="46375" avscantime="0" fullreqtime="47510" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" exceptions="auth,mime,application,fileextension,size" category="105" reputation="neutral" categoryname="Business" reason="category"

    This domain is whitelisted and has an exception for ^https?://([A-Za-z0-9.-]*\.)?pkf\.de/  and ^http?://([A-Za-z0-9.-]*\.)?pkf\.de/ with every single option activated. IPS has been deactivated for testing purposes.

    I also have the following error when clicking on the blue exclamation mark on almost every exception rule:

    Can't use string ("0") as an ARRAY ref while "strict refs" in use at /wfe/asg/modules/asg_misc.pm line 727.

    I don't know if there is an context to the first error, but as far as i can see i have to either rebuild the database (at least in a single device environment) or to do a factory reset with a restore.

     

    Any ideas on this?

    Dennis

     

     

     

  • Problem solved....

    I turned off ha, removed the slave node (back to factory reset) and rebuld the database on the old master. Everything is working again as expected so far. Then turned on ha again.

     

    :-)

    Dennis

  • So does anyone know if there is a valuable workaround for this or a working fix to solve the problem? does not hear anything from sophos regarding this...

  • What issues are you still having?  Is it just the authentication issues or other issues that seem to be tied to it like random sites that time out or cant get to?

  • Authentication Issues, i synced my webproxy with my DC, joined the UTM to the Domain. today my User is browsing the Internet without problems, tomorrow it doesn't work unless i do an rejoin of the UTM to the domain. this problems occur on several UTMs i manage since the update on 9.501

    it is pretty annoying and my customers are losing patience on this...

  • And why aren't you update to 9.502 where these problems had been solved?

    Or have O missed some infoformation?

    Best

    Alex

    -

  • already updated to 9.502, rejoined the UTM to the domain, deleted the computeraccount from AD, rejoined again, made sure the sync beetween the DCs is working properly.

    it's not working at all.... any suggestions?

  • Maybe one thing i experienced yesterday. After AD SSO was running fine since upgrading to 9.502-4, i have had activited DNSSEC yesterday afternoon.  After to two hours i received the following warning mail:

    There was an error synchronizing subscribed groups. The Sophos UTM will continue to operate with a locally cached copy of the data but will be unable to update from Directory Services until the issue is resolved.

    Error was:

    -   failed to run samba command on DOMAIN, exiting now

    In the protocol view - system events - i found a lot of the following entries:

    - 2017:08:02-16:10:49 hhs050utm-1 dns-resolver[13992]: DNS server failed to contact!

    Then i deactivated DNSSEC again and everything was fine again.

    I had the error "failed to run samba ...." in the past when ad sso authentication got broken. Since i have rebuild my database i am not able to check deeper if there was an similar error context before.

    Dennis



     

           

  • We had a similar issue. 

    After each reboot, the proxy lost his connection with AD. A net ads join worked most of the time.

    After 4 or 5 hours, the surf became very slow. 

    Using the Web Interface, we rejoined the AD. It's better, it don't lost the connection with AD after a reboot. But :

    - We need restart the proxy one or two time each day.

    - Some users can not authenticate to the proxy. One day, it work another day, it fail.