This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
  • According to another, recent post, it's no longer required to unjoin the UTM from the domain and delete the Account in AD - just enter valid credentials and Join again.

    EDIT an hour later: Also, note the command line trick.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    do you have any idea why the UTM looses the kerberos tickets ? It looks like that the key renewal is not working.

    I joined the UTM this morning and all authentications are woking.

    maybe a script willhelp ? Or: do you know the process which renews ?

     

    Cheers

    Martin

  • I hadn't thought to look for it until you asked, Martin.  The following is a fictitious example:

    cc ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5

    DOMAIN.LOCAL - Active Directory domain name
    adminbob - Administrative username in AD
    G3d0utahere! - Password in AD for adminbob
    172.16.1.5 - IP Address of Domain controller

    That can take awhile depending on your hardware and connection.  A result of 1 means the join was successful, 0 means it failed.

    If you want to do that in a cron job, use /usr/local/bin/confd-client.plx instead of cc.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I realized that with WannaCry, some of my clients have had the SMB1 turned off. When I re-enabled that, I was able to join the domain.

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force

    Now I just need to turn on the SSO Authentication and test the server access after hours.

    Hopefully the system will stabilize after that and I will not find out at 5:30 when the first person comes in.

     

  • Same problem here. Using Transparent Proxy with SSO

    Windows 2016 Domain controllers

    All clients gets "Access Denied" + "Authentication Failed" + "The URL you have requested is blocked by Surf Protection"

     

    Had to change authentication to "NONE" to let users access internet.

    leave/rejoin domain dows not help. Reboot all servers including domain controllers and client machines makes things work for a few minutes before f.ing up again.

    No updates installed on servers after firmware update on UTM.

    happended right after install of firmware 9.501-5

  • Same here.

     

    The workaround with joining the UTM again, is not really working. 

     

    I really have to remove the comupter Account from the Domain , do a repadmin /syncall /force  for the domaincontrollers, wait for ~ 15 Minuten.

    Then join again, and all is working perfect. .... 

     

    Sophos: we need a solution here, without authentication it is no solution, only a temporary workaround. We have to identify our Users to put them in different groups.

    Regards

    Martin

     

  • Hi all,

    just wanted to share some outlook on this.

    i confirm that the WA it´s only temporary. I received a couple of calls last friday in the morning, regarding this behavior and after rejoin the UTM´s to the AD the issue apparently was solved. Today the same clients reported the same behavior. Both incidents are reported on Sophos support.

     

    Edit:

    This is happening also with version 9.414-2.

  • When the first user reported that the WA is not working permanently i immediately rolled back our sophos to firmware version 9.413-4.

     

    Its working fine now.

     

    I think i saw in a different post that this problems occurs since the end of may.

    So i dont believe there´s gonna be a fix anytime soon and i suggest a rollback for anyone who has these issues.

     

    I was lucky that we got an active-passive cluster.

    So i released the cluster, rolled back one UTM with the newest config and replaced the still active UTM with it.

    I could minimize the downtime to about 10 minutes this way.

     

    Think about what you want to do with stuff that is not transfered with the config backup (logs,quarantiened e-mails).

    I didn´t need any of that but if you do, there is some work ahead since you can only migrate it through the CLI as far as i know

  • FormerMember
    0 FormerMember in reply to BAlfson

    Hello Bob, 

    We have adjusted the KBA to include your suggestions. Thank you for all the input you have made on this issue!

    Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5