Problem with "DNS best practice" and AD-SSO

Question

Hi, 
 I'm having problems with AD-SSO authentication at a customer's installation. The setup is a bit more complex, so I will first say a few words about it. 
 
 Connected to the UTM are 3 internal networks, two internet connections. Basically there are 2 separated companies, one has 141, the other 142 (LAN) and 143 (guest WLAN, not sophos, can be ignored). 
 The special point is that both companies use the same SBS server, that resides in the 141 network. All clients are member of the same domain, only separated by OUs and permisions, the firewall part is relatively complex in this scenario. 
 HTTP-proxy runs in different modes for each network... the 141 net is transparently proxied, without authentication. The clients in the 142 network are using the UTM in standard mode, with AD-SSO and as long as 143 is only for guest access this network isn't proxied at all. Clients in the 142 network use the wpad.dat from the UTM. In the auto configuration is DIRECT configured for the 141 network ( if (isInNet(host, "192.168.141.0", "255.255.255.0")){ return "DIRECT"; }), the FQDN of the internal domain is currently not skipped. 
 SBS does DHCP for the 141 network, UTM for 142 and 143, DNS-Server for 141 and 142 networks is the SBS, for 143 the UTM. For network 142 additionally WINS server is the SBS. 
 
 Yesterday I changed the DNS-configuration on the SBS to forward DNS to the UTM (root hints before), the configuration on the UTM is now: RLZ for 141 and 142 and FLZ to internal DNS_ (request routing), forwarder to public DNS-servers, allowed networks for DNS usage is SBS and 143 network. 
 Today clients in the 142 network are having problems with the AD-SSO mode of the proxy, an authentication window pops up in the browser. Did I do anything wrong with my DNS config or has anyone a clue, why AD-SSO suddenly has problems? 
 Quick&dirty solution was to turn off authentication, but a better solution would be appreciated. 
 
 DNS-config before: - SBS used root hints - UTM used SBS as forwarder - allowed networks were 141 and 142 - no changes to DHCP and the DNS-server used for the clients

CS · Accepted Answer

Hi Kevin, 
 What says the "User Authentication Daemon" Log? 
 With AD-SSO, the UTM should find it's domain-controller. Is the utm hostname (System Settings / Hostname) a fqdn in the sbs domain? 
 Have you tried a re-join? 
 
 Godd luck! 
 CS

BAlfson · Answer

If CS' suggestion didn't fix this, try: 
 Restart winbindd /var/mdw/scripts/ntlm restart 
 Let us know, Kevin. 
 Cheers - Bob