Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 1872 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD SSO suddenly stopped working

Godself

Hello, guys! I will try to be short.

The power went out for a long period a couple days ago and that caused UTM to restart. Because of that web surfing through AD SSO suddenly stopped working. To be more specific, I have no idea why their credentials isnt being used and because of that users are getting blocked pages (obviously).

2023:01:04-03:08:46 asg220akrk httpproxy[13050]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="172.16.2.156" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffFilteActioCall (Filter Action Call Center)" size="3212" request="0x33e8c00" url="">consulta4.confirmeonline.com.br/" referer="" error="" authtime="2" dnstime="0" aptptime="0" cattime="0" avscantime="0" fullreqtime="206860" device="1" auth="2" ua="" exceptions=""


I´ve done a few things like: rejoining again, restarting proxy and even restarting UTM (I know, eek!). 
I am not going to say about checking DNS forwarders, time sync between AD and Sophos, if FQDN (both ways) can be resolved and stuff like that because I consider this "home work" and I have already checked them. After all, everything was working smoothly.

It´s been a looong time I dont put in the work because I had a tech for that but he left a few days ago. So yeah, I have to get things done.
By the way, I read some issues in the current firmware (9.713-19) which is the one I am using but my problem doesnt seem one of them.

Appreciate any help!



This thread was automatically locked due to age.
Parents
  • 0

    Hello  ,

    Thank you for reaching out to the community, please refer the troubleshoot guide here - https://support.sophos.com/support/s/article/KB-000035211?language=en_US
    And may we know the deployment mode ? - https://support.sophos.com/support/s/article/KB-000035057?language=en_US

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hello, Vivek! Thanks for the reply.

    I am aware of those links you posted. I read them again just to be sure that I was not missing anything, but no success. As I said, everything was working fine so I dont believe those configurations messed up by themselves (is that even possible?).

    I dont know if that helps, but some of those users use firefox for some websurfing and it worked fine too. It is still prompting for credentials, but it doesnt matter if they input. It doesnt work:

    2023:01:04-02:20:01 asg220akrk httpproxy[13050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="172.16.2.156" dstip="" user="weverton.alves" group="" ad_domain="AKRKPROMOTORA" statuscode="307" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="0" request="0x281e000" url="">asg220akrk/auth referer="" error="" authtime="2342" dnstime="0" aptptime="0" cattime="0" avscantime="0" fullreqtime="225070" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0" exceptions=""

    After that line, there is a lot of attemps in the log with this:

    2023:01:04-02:20:01 asg220akrk httpproxy[13050]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="172.16.2.156" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffFilteActioCall (Filter Action Call Center)" size="3216" request="0x2bb0b00" url="">detectportal.firefox.com/canonical.html" referer="" error="" authtime="2" dnstime="0" aptptime="0" cattime="0" avscantime="0" fullreqtime="379" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0" exceptions=""
Reply
  • 0 in reply to Vivek Jagad

    Hello, Vivek! Thanks for the reply.

    I am aware of those links you posted. I read them again just to be sure that I was not missing anything, but no success. As I said, everything was working fine so I dont believe those configurations messed up by themselves (is that even possible?).

    I dont know if that helps, but some of those users use firefox for some websurfing and it worked fine too. It is still prompting for credentials, but it doesnt matter if they input. It doesnt work:

    2023:01:04-02:20:01 asg220akrk httpproxy[13050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="172.16.2.156" dstip="" user="weverton.alves" group="" ad_domain="AKRKPROMOTORA" statuscode="307" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="0" request="0x281e000" url="">asg220akrk/auth referer="" error="" authtime="2342" dnstime="0" aptptime="0" cattime="0" avscantime="0" fullreqtime="225070" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0" exceptions=""

    After that line, there is a lot of attemps in the log with this:

    2023:01:04-02:20:01 asg220akrk httpproxy[13050]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="172.16.2.156" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffFilteActioCall (Filter Action Call Center)" size="3216" request="0x2bb0b00" url="">detectportal.firefox.com/canonical.html" referer="" error="" authtime="2" dnstime="0" aptptime="0" cattime="0" avscantime="0" fullreqtime="379" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0" exceptions=""
Children
  • 0 in reply to Godself

    Hi  ,

    Good day and hope you are well. 

    Unfortunate to hear this concern you are encountering. Thank you for sharing information and all the troubleshooting steps you have done on your end. May we ask if you already created a support ticket for this? If not, we recommend you to create one for this to be further check by an engineer. Then please share the would be generated caseID to me via DM or by replying to this thread. 

    Many thanks for your time and patience and Thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Are there any updates arround this thread? Because my SSO isn't working any longer too. I could not find any error. Auth is working fine, the sg could prefetch users and groups, server and user test is ok but SSO has emtpy user and group information Disappointed

    also re-joined the ad without any problems - until last week some user from a co-loc with different IP-Range were logged but today they are empty too - any ideas ?

  • 0 in reply to DennisHünseler

    Hi Dennis,

    Good day and Thanks for reaching out to Sophos Community and hope you are well.

    Was your case also working previously and then after the update to 9.713 SSO faced issues? or it still worked after the update but only faced the issue until last week?

    Also, If you have followed the troubleshooting steps above and has no luck fixing. I would be recommending you also to create a support ticket for this to be further check by an engineer. You can also mention all the troubleshooting steps you have performed along with the details of the post. Then please share with us the would be generated caseID  via DM or by replying to this thread. 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML