This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web proxy SSO issue. 407 and 403 errors without username, group and ad_domain in log

Hi all,

I hope someone can shine a light on this.

Yesterday, we suddenly got complaints that some users weren't able to access youtube anymore. It was blocked by category Streaming Media.

Indeed, in the Base policy this category is blocked. But a lot of users are member of an AD group that is attached to a different policy with a filtering action that allows streaming media.

in the logging we see 2 different things;

A lot of correct entries where a username, group and ad_domain is listed correctly. Depending on the membership that user is granted or denied access to e.g. youtube. In this example the user is denied access because he is not member of that particular AD group. So SSO works fine here.

2021:06:22-11:41:30 dtc-utm1 httpproxy[9960]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="192.168.x.xxx" dstip="" user="[username]" group="Active Directory Users" ad_domain="[our-domain]" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffUsersConteFilte (Users content filter action)" size="3543" request="0xc9ef1800" url="">fcmatch.youtube.com/pixel referer="">https://acdn.adnxs.com/" error="" authtime="109" dnstime="0" aptptime="58" cattime="77" avscantime="0" fullreqtime="966" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" exceptions="" reason="category" category="147" reputation="unverified" categoryname="Streaming Media" 

But also a lot of incorrect entries that have statuscode of 407 or 403 and no username, group and ad_domain listed. example:

2021:06:21-13:52:56 dtc-utm1 httpproxy[6027]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.xxx.xxx" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterLan (Transparant Proxy voor clients lokaal)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3171" request="0x10b7c700" url="">https://youtube.com/" referer="" error="" authtime="1" dnstime="0" aptptime="62" cattime="24341" avscantime="0" fullreqtime="328158" device="1" auth="2" ua="" exceptions="" reason="category" category="147" reputation="trusted" categoryname="Streaming Media"

Btw, I see also a lot of entries where users access youtube and it is tagged as an application (So Application Control is handling those requests)

This issue is happening on both our Default webfilter profile (used with our Citrix environment) and our transparent mode proxy (used to get internet access outside our citrix environment in the office). As the username etc. isn't found, I assume this is a SSO issue right? I tested SSO in the UTM and used the policy helpdesk, these were all fine, no problems overthere.

We had this issue some time ago and it was also solved by itself. I don't know what happened, but it looks like some kind of bug?!

Or has this something to do with conflicting policies / application control / misconfiguration?

Our version is Sophos UTM 9.705-7.  

Thanks in advance!

regards,

Wouter



This thread was automatically locked due to age.
Parents
  • The normal flow is:

    Web request

    Utm responds with 407 code ( who are you? )

    Browser responds with NTLM credentials.

    • UTM allows the connection and logs the event with the credentials.

    The 407 erors only indicate failure if there is no subsequent entry for the intended destination

Reply
  • The normal flow is:

    Web request

    Utm responds with 407 code ( who are you? )

    Browser responds with NTLM credentials.

    • UTM allows the connection and logs the event with the credentials.

    The 407 erors only indicate failure if there is no subsequent entry for the intended destination

Children
  • hi Douglas,

    Thanks for your clarification, that part wasn't clear for me.

    Didn't had time yet to investigate the logs again to find subsequent entries after a 407 error. 

    But is this the same for the 403 errors? because 403 is 'forbidden' and that seems not right when there is even no username / domain in the request.

  • 403 means that the authentication never happened or another problem occurred,so the connection did fail.

      Check the error="text"element for more detail about 403 errors.  Also check the id="code" and name="description" elements for clues about the failure reason.

    Finally, check ua="text" to see if it was a browser or non-browser client.   Only browsers can do AD SSO authentication.

    My experience with AD SSO has been that it works very well, so a UTM bug is possible but not likely.