AD SSO stopped working

Question

Background: A few months ago we have started at last to begin a migration from Win2003 AD servers to Win2012 AD servers. So far, we have only added one single Win2012 AD to our structure. "Everything" is still set to work with the old server, i.e., the old server still has the FSMO roles and the single sign on server used by UTM (version 9.309-3) is also the good old Win2003 one. Nevertheles, when we rebooted the new server once last week, AD SSO immediately stopped working and we could not get it operational ever since.

My immediate reaction was to allow the Default Web Filter Profile for all internal IPs in transparent mode and disable the custom (AD group based) profile.
To start debugging, I reenabled the custom profile restricted to test machines. And this is what happens:
The user is prompted with a login dialog ("Authentication required") and even when entering correct credentials, the dialog just keeps popping up again. Until the user hits cancel in that dialog and is presented the "Authentication failed" message.

The policy tool (Web protection -> policy information -> policy test) shows that the rules themselves work fine, i.e., the test results actually depends in the expected way on the AD groups the username entered belongs to.
Testing the credentials against the one and only auth server (under Definitions & Users -> authentication services -> server -> edit) also works fine ("Authentication test passed" and AD groups displayed).
However, I see no sign of the failing attempts at all in the logs (maybe I look at the wrong ones - http.log and aua.log?).

I already re-added the UTM into AD, without success.

What can be done?

This thread was automatically locked due to age.

BAlfson · Accepted Answer

I'm not the right guy to ask about what happens when a 2012r2 server is added to a domain, but the timing of your problem still makes me suspect that it's involved. Have you set your 2012r2 server to accept NTLMv1 and SMB 1.0? Find the instructions for the latter in Windows XP Clients Cannot Execute Logon Scripts against a Windows Server 2012 R2 Domain Controller &#8211; Workaround . Cheers - Bob

hagman_01 · Answer

In short: KB3002657 breaks everything! Actually, we had already marked that update for unistall in our WSUS as soon as our net showed the first signs of weird problems. Since the uninstall apparently did not help, we were left with searching hi and lo for alternate causes. As UTM login was one of the most easily reproducable problems, I opened this thread. What I didn't notice was: The Win 2003 version of that KB considered itself not removable, hence our Win 2003 AD servers kept their problem (while stating that they were up to date). Interestingly, the experimental 2012 AD server, the introduction of which I finally suspected to be the root cause, was the only AD server that got the KB automatically uninstalled. - Finally we located and uninstalled KB3002567 manually on all 2003 AD servers, rebooted them, fixed! Thanks for your patience.