After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

Question

UTM 9.501-5 
 Windows server 2012 domain controller. 
 I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites. 
 Can get to Google.ca 
 Cannot get to canada411.com - Too many http redirects message. 
 Turned off web filtering and the websites were available - but the client requires filtering. 
 Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked. 
 Attempted to remove from and rejoin domain, but domain join failed. 
 
 Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

BAlfson · Accepted Answer

I hadn't thought to look for it until you asked, Martin. The following is a fictitious example: 
 cc ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5 
 DOMAIN.LOCAL - Active Directory domain name adminbob - Administrative username in AD G3d0utahere! - Password in AD for adminbob 172.16.1.5 - IP Address of Domain controller 
 That can take awhile depending on your hardware and connection. A result of 1 means the join was successful, 0 means it failed. 
 If you want to do that in a cron job, use /usr/local/bin/confd-client.plx instead of cc . 
 Cheers - Bob

BAlfson · Answer

Hi, Thomas, and welcome to the UTM Community! 
 Have you tried a cronjob as suggested in Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5 ? 
 To do this every morning at 7AM add the following line to /etc/crontab-static (substitute with your credentials): 
 0 7 * * * root /usr/local/bin/confd-client.plx ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5 
 After that, you need to make the system rebuild /etc/crontab. In 'Management > Up2Date' change the 'Firmware Download Interval', [Apply], change it back and [Apply]. 
 Cheers - Bob

BAlfson · Answer

Stafford, I have no personal experience with any of this as I've done my best to keep everyone on 9.413. 
 Cheers - Bob

StaffordFields · Answer

Dont know if this is what you are looking for... but I had a tech look at my machine because another told me that a patch was available. 
 This 2nd or 3rd level tech told me there was initially 2 patches... related to the same thing but addressing different isues with the SSO. If the techs are telling them there is not a patch is it because this person told me there WAS two patches. One was pulled because it caused more problems... and that I would have to wait for the actual next release instead of an RPM patch. 
 So.. probably Rodrigo has the issue that cannot be fixed at this time. 
 Dont shoot the messinger.. Im just relaying what I have been told. 
 Thanks.....

IT Abteilung BeeWaTec AG · Answer

It finally works again for us. We did the following things in this order:

- Firmware Update to 9.503 from this page, at the moment only by FTP available:
community.sophos.com/.../utm-up2date-9-503-released

- delete AD computer object of Sophos UTM
- Do a failed Domain join at Definitions & Users -> Authentication Services -> Single Sign-On: fill in correct domain, but wrong username and password. Status should change to failed. Then join your domain again with correct login data, status should "Joined Domain".
- reboot your Sophos UTM
- users have to log off their computers and login again
- if you had your Sophos hostname in your Internet Explorer proxy settings: change it to ip. Like 172.17.0.123:8080 in our case.

Alexander Busch · Answer

Did you see this ? 
 Which browser did you use? Try Firefox. 
 Best 
 Alex

Benedikt Geelen · Answer

As suggested here: Sophos Forum 
 
 Remove the utm from the Domain, delete the computerobject in the AD, force and wait for DCs to sync, rejoin the domain. 
 This worked fine for me. AD SSO works again in Proxy Standardmode. 
 
 After removing the UTM from the domain i restarted all Sophos UTM Cluster Nodes. 
 I don&acute;t know if thats necessary, but maybe you could try that if it still doesn&acute;t work. 
 
 I hope the AD SSO still works after another restart of the UTM. 
 I am glad it works now so i did not try it.... 
 
 EDIT: 
 This Problem is not exclusive to 9.5. 
 We are on 9.414-2

Thorsten Trautwein-Veit · Answer

Hi fellows, 
 all our 5 UTMs are hit by this SSO bug. I am waiting urgently for a fix for that because from time to time I have to rejoin the UTM even with the workaround below.... 
 
 All at your own risk, of course. 
 
 I was directed to use the following permanent workaround : 
 ------------------------------------------------------------------------------------------------- 
 Edit /etc/krb5.conf and add 'case_sensitive = 0' in [libdefaults] group The whole file should look like: [libdefaults] default_realm = case_sensitive = 0 cp /etc/krb5.conf /var/chroot-http/etc/krb5.conf chown httpproxy:root /var/chroot-http/etc/krb5.conf /var/mdw/scripts/httpproxy restart 
 ------------------------------------------------------------------------------------------------- 
 In some cases I had to remove the computer account and rejoin the UTM and do not forget to replicate the whole forrest ;) 
 It seems to help, at least a longer time. 
 Cheers, 
 Thorsten