Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 17 replies
  • Subscribers 12 subscribers
  • Views 29585 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.502 Update causes Internet users cannot authenticate with active directory

Chuckak

SG-230 firewalls in HA configuration.  After upgrade to 9.502 users were unable to access the internet.  Kept prompting users for credentials.  Testing websites and users in the Policy Test page showed as working fine but it isn't.

Rejoined the firewall to the domain seems to have fixed it - for now.



This thread was automatically locked due to age.
  • 0

    Even with a customer using STAS I had to rejoin the UTM to the Active Directory. I did it the "clean" way, unjoin, reset computer account, rejoin.

    Worked without any logout of the users.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0

    We had the same issue after upgrading to 9.501-5, and I'm currently very aware to update to 9.502 - especially after reading your post.

    Rejoining the UTM into the domain worked for a short while, but the failure keept coming after about 45-60 minutes.

    Only Sophos could solve this problem with a hot-fix, which had to be installed by Sophos itself.

    Have a look at this thread regarding SSO for HTTP authentication.

    I just read the change log for the 9.502, and it seems like that the AD SSO problem isn't even mentioned.


    Good luck,
    Uwe

  • 0 in reply to Uwe Minder

    Isn't that this NUTM?

    NUTM-7960 [Web] Authentication issue after upgrade to 9.5 (kerberos)

    According to talex it has only slipped the mentionning in the change log, but is included: community.sophos.com/.../utm-9-502-soft-release

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to Richard Martens

    This has been discussed elsewhere in this forum.  The update process installs the buggy 9.500 and 9.501, which breaks AD SSO.   9.502 has the fix, but you must disconnect and rejoin to the domain for it to take effect.  I think this task is in the release notes which should be in the blog section of this forum.  Unlike 9.501, this should be a permanent fux.  

    A few people have reported problems with the rejoin  but most seem to have been successful.

    As far as I know, Sophos still considers 9.502 to be beta software, but if you have already gone past 9.408, it is probably your best option.

  • 0 in reply to DouglasFoster

    I would hope 9.502 is not considered beta since Sophos pushed it out to my SG 230 appliance - it does not state that anywhere in the information with it.

  • 0 in reply to DouglasFoster

    DouglasFoster said:
    This has been discussed elsewhere in this forum.  The update process installs the buggy 9.500 and 9.501, which breaks AD SSO.   9.502 has the fix, but you must disconnect and rejoin to the domain for it to take effect.  I think this task is in the release notes which should be in the blog section of this forum.  ....

    In my opinion the AD SSO should not break if there is no reboot between 9.4x and 9.502. I gave 9.502 today a try and it's still working without rejoin. But maybe this is random.

    Best

    Alex

    -

  • 0 in reply to Uwe Minder

    Hi

    Just to clarify a few points regarding 9.500/9.501. The main issues that users experienced regarding authentication in 9.500 and 9.501 were known as NUTM-7960 and NUTM-8110, support had been applying patches to resolve these in the short term. The recently released 9.502 includes the fixes for both of these issues so we would expect this to resolve the authentication problems in the majority of cases.

    9.502 has been put on general release as of yesterday so everyone should start to see this available in their GUI.

    Depending on the exact sequence of updates and reboots you may need to rejoin the UTM to the domain after upgrading to 9.502. To simplify things i would say the best course of action would be to install 9.502, rejoin the domain, then re-login all client users to enable AD SSO to work.

    If you do still encounter authentication issues after carrying out the above then contact Sophos Support with the following information:

    • Symptoms seen by the end user (e.g errors, auth prompts etc)
    • Are all or only some users affected
    • The mode of the proxy profile (standard/transparent)
    • Time/date and source IP of an example failed request
    • Either remote access enabled or the http.log

    This should give them a good starting place to identify and resolve any remaining problems

    Greg

  • 0

    I can confirm, that https-request with AD-Auth still failing with 9.502, http-request are working correctly with AD-Auth

    Proxy runs in standard mode with AD-Auth.

    Tried SSO re-join (+deleting of Sophos AD-Object), Rebooting and also using older UTM Backupfile...

     

    Sophos support case is open...

     

    regards

  • 0 in reply to SWeissflog

    For anyone still experiencing problems with AD SSO on 9.502 can you check your internal DNS servers for the A records relating to the UTM hostname. If there are multiple entries present here (corresponding to the different interfaces on the UTM) remove the entries that do not match the interface that the AD SSO clients are connecting to (typically the LAN interface).

    Flush DNS on the client machines and retest authentication.

     

    If this helps then can you drop me a private message to confirm?

     

    Thanks

Unfiltered HTML