Windows server 2012 domain controller.
I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.
Can get to Google.ca
Cannot get to canada411.com - Too many http redirects message.
Turned off web filtering and the websites were available - but the client requires filtering.
Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.
Attempted to remove from and rejoin domain, but domain join failed.
Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.
You can find the procedure here:
According to another, recent post, it's no longer required to unjoin the UTM from the domain and delete the Account in AD - just enter valid credentials and Join again.
EDIT an hour later: Also, note the command line trick.
Cheers - Bob
do you have any idea why the UTM looses the kerberos tickets ? It looks like that the key renewal is not working.
I joined the UTM this morning and all authentications are woking.
maybe a script willhelp ? Or: do you know the process which renews ?
I hadn't thought to look for it until you asked, Martin. The following is a fictitious example:
cc ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5
DOMAIN.LOCAL - Active Directory domain nameadminbob - Administrative username in ADG3d0utahere! - Password in AD for adminbob172.16.1.5 - IP Address of Domain controller
That can take awhile depending on your hardware and connection. A result of 1 means the join was successful, 0 means it failed.
If you want to do that in a cron job, use /usr/local/bin/confd-client.plx instead of cc.
I realized that with WannaCry, some of my clients have had the SMB1 turned off. When I re-enabled that, I was able to join the domain.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 -Force
Now I just need to turn on the SSO Authentication and test the server access after hours.
Hopefully the system will stabilize after that and I will not find out at 5:30 when the first person comes in.
Same problem here. Using Transparent Proxy with SSO
Windows 2016 Domain controllers
All clients gets "Access Denied" + "Authentication Failed" + "The URL you have requested is blocked by Surf Protection"
Had to change authentication to "NONE" to let users access internet.
leave/rejoin domain dows not help. Reboot all servers including domain controllers and client machines makes things work for a few minutes before f.ing up again.
No updates installed on servers after firmware update on UTM.
happended right after install of firmware 9.501-5
The workaround with joining the UTM again, is not really working.
I really have to remove the comupter Account from the Domain , do a repadmin /syncall /force for the domaincontrollers, wait for ~ 15 Minuten.
Then join again, and all is working perfect. ....
Sophos: we need a solution here, without authentication it is no solution, only a temporary workaround. We have to identify our Users to put them in different groups.
just wanted to share some outlook on this.
i confirm that the WA it´s only temporary. I received a couple of calls last friday in the morning, regarding this behavior and after rejoin the UTM´s to the AD the issue apparently was solved. Today the same clients reported the same behavior. Both incidents are reported on Sophos support.
This is happening also with version 9.414-2.
When the first user reported that the WA is not working permanently i immediately rolled back our sophos to firmware version 9.413-4.
Its working fine now.
I think i saw in a different post that this problems occurs since the end of may.
So i dont believe there´s gonna be a fix anytime soon and i suggest a rollback for anyone who has these issues.
I was lucky that we got an active-passive cluster.
So i released the cluster, rolled back one UTM with the newest config and replaced the still active UTM with it.
I could minimize the downtime to about 10 minutes this way.
Think about what you want to do with stuff that is not transfered with the config backup (logs,quarantiened e-mails).
I didn´t need any of that but if you do, there is some work ahead since you can only migrate it through the CLI as far as i know
We have adjusted the KBA to include your suggestions. Thank you for all the input you have made on this issue!
Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5