This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with "DNS best practice" and AD-SSO

Hi,

I'm having problems with AD-SSO authentication at a customer's installation. The setup is a bit more complex, so I will first say a few words about it.

Connected to the UTM are 3 internal networks, two internet connections. Basically there are 2 separated companies, one has 141, the other 142 (LAN) and 143 (guest WLAN, not sophos, can be ignored).

The special point is that both companies use the same SBS server, that resides in the 141 network. All clients are member of the same domain, only separated by OUs and permisions, the firewall part is relatively complex in this scenario.

HTTP-proxy runs in different modes for each network... the 141 net is transparently proxied, without authentication. The clients in the 142 network are using the UTM in standard mode, with AD-SSO and as long as 143 is only for guest access this network isn't proxied at all. Clients in the 142 network use the wpad.dat from the UTM. In the auto configuration is DIRECT configured for the 141 network ( if (isInNet(host, "192.168.141.0",  "255.255.255.0")){ return "DIRECT"; }), the FQDN of the internal domain is currently not skipped.

SBS does DHCP for the 141 network, UTM for 142 and 143, DNS-Server for 141 and 142 networks is the SBS, for 143 the UTM. For network 142 additionally WINS server is the SBS.

 

Yesterday I changed the DNS-configuration on the SBS to forward DNS to the UTM (root hints before), the configuration on the UTM is now: RLZ for 141 and 142 and FLZ to internal DNS_ (request routing), forwarder to public DNS-servers, allowed networks for DNS usage is SBS and 143 network.

Today clients in the 142 network are having problems with the AD-SSO mode of the proxy, an authentication window pops up in the browser. Did I do anything wrong with my DNS config or has anyone a clue, why AD-SSO suddenly has problems?

Quick&dirty solution was to turn off authentication, but a better solution would be appreciated.

 

DNS-config before:
- SBS used root hints
- UTM used SBS as forwarder
- allowed networks were 141 and 142
- no changes to DHCP and the DNS-server used for the clients



This thread was automatically locked due to age.
Parents
  • Hi Kevin,

    What says the "User Authentication Daemon" Log?

    With AD-SSO, the UTM should find it's domain-controller. Is the utm hostname (System Settings / Hostname) a fqdn in the sbs domain?

    Have you tried a re-join?

     

    Godd luck!

    CS

     

    Sophos Certified Architect (UTM + XG)

  • If CS' suggestion didn't fix this, try:

    Restart winbindd
    /var/mdw/scripts/ntlm restart

    Let us know, Kevin.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Oh my god, shame on me....

    The request routing entry for the internal domain already existed before i changed the DNS config, so I didn't pay attention to it. Well, I should have...
    It turned out, that the request routing entry for the internal domain contained wrong characters. It never ever made any difference in the past because the internal DNS was DNS forwarder for the UTM and so the "correct" entry was forwarded to the internal DNS, too.

    Now that DNS is functioning the other way it DID make a difference... :(

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Reply
  • Oh my god, shame on me....

    The request routing entry for the internal domain already existed before i changed the DNS config, so I didn't pay attention to it. Well, I should have...
    It turned out, that the request routing entry for the internal domain contained wrong characters. It never ever made any difference in the past because the internal DNS was DNS forwarder for the UTM and so the "correct" entry was forwarded to the internal DNS, too.

    Now that DNS is functioning the other way it DID make a difference... :(

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

Children
No Data