This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.502 Update causes Internet users cannot authenticate with active directory

SG-230 firewalls in HA configuration.  After upgrade to 9.502 users were unable to access the internet.  Kept prompting users for credentials.  Testing websites and users in the Policy Test page showed as working fine but it isn't.

Rejoined the firewall to the domain seems to have fixed it - for now.



This thread was automatically locked due to age.
Parents
  • I can confirm, that https-request with AD-Auth still failing with 9.502, http-request are working correctly with AD-Auth

    Proxy runs in standard mode with AD-Auth.

    Tried SSO re-join (+deleting of Sophos AD-Object), Rebooting and also using older UTM Backupfile...

     

    Sophos support case is open...

     

    regards

  • For anyone still experiencing problems with AD SSO on 9.502 can you check your internal DNS servers for the A records relating to the UTM hostname. If there are multiple entries present here (corresponding to the different interfaces on the UTM) remove the entries that do not match the interface that the AD SSO clients are connecting to (typically the LAN interface).

    Flush DNS on the client machines and retest authentication.

     

    If this helps then can you drop me a private message to confirm?

     

    Thanks

Reply
  • For anyone still experiencing problems with AD SSO on 9.502 can you check your internal DNS servers for the A records relating to the UTM hostname. If there are multiple entries present here (corresponding to the different interfaces on the UTM) remove the entries that do not match the interface that the AD SSO clients are connecting to (typically the LAN interface).

    Flush DNS on the client machines and retest authentication.

     

    If this helps then can you drop me a private message to confirm?

     

    Thanks

Children
  • Yes there were multiple DNS-A-Records for UTM but cleaning this entries did not solve the problem...(just left the DNS entry with internal ip)

    https-sites still not working with AD-Auth in proxy standard mode with UTM 9.502 here (at 2 customer sites)

    http-sites are working fine

     

    regards

  • Thanks SWeissflog

    Just out if interest, do these client machines use any kind of local web control on the endpoint?

  • I am running in transparent mode and never could get HTTPS to authenticate smoothly for the clients, I gave up on it.  I let it pass.

    Still authenticating fine since I rejoined the domain. - Just put in the same credentials and did not restart anything.

    I am running Kaspersky on the clients which has web filtering.

  • Your problem seems to be an other (well known) problem...

    When using transparent mode with AD authentication the initial reqest of a client must be a http-request! So if there is no authentication cache for the user/client on the UTM the client/user will receive an authentication pop-up...this often happens after reebooting/updating a single UTM... 

    https://community.sophos.com/kb/en-us/120791#Limitations

     

  • The https-problem seems to be a problem between Sophos UTM 9.5(02) and Kaspersky Security Suite. After stopping Kaspersky browsing https-Websites with Sophos Webproxy is also working without authentication problems... But it was a Sophos update that kills the https-traffic not a kaspersky update...

    Kaspersky and UTM 9.413 is working without problems...

     

    regards

  • There are threads all over the place with regards to the SSO issue. I take it none of you updated to 9.502-4

     

    Bugfixes

    • NUTM-8127 [AWS] Link to CloudFormation console during cloudupdate is not working
    • NUTM-3213 [Access & Identity] Inconsistent behaviour/state when deleting a user cert
    • NUTM-3283 [Access & Identity] IPSec: VPN ID shall not include blanks
    • NUTM-3294 [Access & Identity] Menu option (keyboard layout) background not rendered properly in IE (version 11.0.9600.17728)
    • NUTM-6972 [Access & Identity] SSLVPN disconnection: backend AD sync
    • NUTM-7897 [Access & Identity] Argos doesn’t start in HA setup without IP address
    • NUTM-7940 [Access & Identity] Client Authentication daemon crashes in HA scenario
    • NUTM-7982 [Access & Identity] SSL VPN connection not possible since v9.5 if organisation name contains umlauts
    • NUTM-7996 [Access & Identity] Devices authenticated via SAA are no longer associated with multiple user network objects in UTM 9.5
    • NUTM-8122 [Access & Identity] L2TP connections with separate DHCP server does not work
    • NUTM-8146 [Access & Identity] PPTP fails to connect when Assign IP addresses by is set to DHCP Server
    • NUTM-8147 [Access & Identity] OpenVPN vulnerabilities
    • NUTM-8161 [Access & Identity] OpenVPN vulnerabilities (client part)
    • NUTM-8280 [Access & Identity] High confd load through UMA
    • NUTM-8130 [Basesystem] Linux vulnerability ‘The Stack Clash’
    • NUTM-8156 [Basesystem] Apache httpd vulnerability (CVE-2017-3169)
    • NUTM-7235 [Confd] READONLY user can download support package
    • NUTM-7425 [Email] Emailenc causing high load – permanently 100% CPU usage
    • NUTM-7790 [Email] Restrict long regular expression in WebAdmin
    • NUTM-7876 [Email] POP3 Proxy stops working after some time
    • NUTM-7889 [Email] Sandbox scan doesn’t work – worker_do_get_file req content parsing error or missing parameters
    • NUTM-6116 [Network] Service_monitor sets wrong IP address for availability group
    • NUTM-7647 [Network] WAN random disconnects
    • NUTM-7735 [Network] ATP doesn’t work with “Send anonymous application accuracy telemetry data” disabled.
    • NUTM-7950 [Network] Dhcp client not running – restarted
    • NUTM-8015 [Network] Main interface IP address swapped by additional address for DHCP setup
    • NUTM-7543 [Reporting] Calculate correct malware count for ExecReport
    • NUTM-7609 [Reporting] Websec-reporter is constantly restarting
    • NUTM-7725 [Reporting] High latency while navigating through WebAdmin after trying to display Web Reports
    • NUTM-7878 [WAF] Segfault for HTTP 1.0 requests when cookie rewriting is enabled
    • NUTM-6845 [Web] https://sslvpn.goodix.com does not loads through UTM PROXY
    • NUTM-7467 [Web] Sandstorm communication issues in some configurations
    • NUTM-7697 [Web] httpproxy.ConfdReload – core dump generated during configuration reload
    • NUTM-7895 [Web] Enable SMB2 in Samba
    • NUTM-7939 [Web] Chrome v58 and higher fail verification with HTTPS scanning enabled
    • NUTM-7967 [Web] httpproxy coredump
    • NUTM-7960 [Web] Autehntication issue after upgrade to 9.5 (kerberos)
    • NUTM-8110 [Web] Since upgrading to 9.501 authentication stops working every morning
    • NUTM-6950 [WiFi] APs displayed as inactive in WebAdmin while clients connect to SSIDs which are still being broadcasted
    • NUTM-7495 [WiFi] Wireless client IP in Webadmin not updated after changing the SSID
    • NUTM-7962 [WiFi] Split traffic not working for wireless clients on RED15w after upgrade to v9.5
  • Just updated Kaspersky Endpoint Security and now everything works fine.