Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 3374 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

This site can’t be reached ntlmauth:8091

adrianBromley

Hi all,

We are migrating from a UTM to XG.  XG is AD-integrated.

My pilot users keep getting a 'This site can’t be reached' page, at address  sxg.domain.local:8091/ntlmauth.html browsing, for example, to bbc.co.uk.  Not always - sometimes it works, sometimes this ntlm page.

I don't know why - can anyone help? 

Thanks

Adrian



This thread was automatically locked due to age.
Parents
  • 0

    Likely this is a HSTS issue. 

    https://community.sophos.com/xg-firewall/f/discussions/118573/set-up-kerberos-in-v18/451140#451140

    NTLM should be a HTTP:// request, not HTTPS. 

    But your browser is using HSTS, as it knows, the website of sxg.domain.local can support https (Webadmin, user portal?). 

    Clearing the HSTS Cache should help.

    Workaround would be to use another Hostname für Webadmin etc. 

  • 0 in reply to LuCar Toni

    Thanks LuCar.

    I am trying to understand this. I had already read that post, but in the end it looked like it was because the XG hadnt joined the domain properly.

    I'm sure mine has - I had already setup a DNS route and DNS entry for the XG.  When I reboot, I get two messages in the logs, one saying NTLM is working and one saying Kerberos is working.

    But its not practical for users to keep clearing their HSTS caches - its complicated, and not scriptable (as far as I know0.

    But I understand your comment about NTLM needing HTTP.  I just don't know how to change it.  Can you elp?

    Thanks

    Adrian

    --

    This is what I see in wireshark:

    GET /ntlmauth.html?2bbc.co.uk/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
Accept-Encoding: gzip, deflate
Host: sophosxg.bsria.local:8091
Connection: Keep-Alive

HTTP/1.1 401 Unauthorized
WWW-Authenticate: NTLM
Content-Length: 0
Via: HTTP/1.1 forward.http.proxy:3128
Connection: keep-alive

  • +1 in reply to adrianBromley

    Thats per design. NTLM Always requires HTTP. HSTS only hit, if you already open this hostname via HTTPs for some reason. Maybe you open the webadmin? Or user portal on this hostname? 

  • 0 in reply to LuCar Toni

    Ok - I think I'm understanding.

    If, on this computer, I open the admin portal or user portal which always uses HTTPS, then the HSTS part of the browser thinks "sxg.domain.local works on HTTPS.  Therefore, I will put the hostname in the HSTS cache and ALWAYS connect using HTTPS".  Then, when the authentication portal opens on port 8081, the browser changes the protocol to HTTPS.  BUT The NTLM protocol does not work in HTTPS, so the page is left on the screen.

    So, how do I change the URL of the ntlm portal?

    Or, are you suggesting I change the URL of the admin portal and user portals?

    Thanks

    Adrian

Reply
  • 0 in reply to LuCar Toni

    Ok - I think I'm understanding.

    If, on this computer, I open the admin portal or user portal which always uses HTTPS, then the HSTS part of the browser thinks "sxg.domain.local works on HTTPS.  Therefore, I will put the hostname in the HSTS cache and ALWAYS connect using HTTPS".  Then, when the authentication portal opens on port 8081, the browser changes the protocol to HTTPS.  BUT The NTLM protocol does not work in HTTPS, so the page is left on the screen.

    So, how do I change the URL of the ntlm portal?

    Or, are you suggesting I change the URL of the admin portal and user portals?

    Thanks

    Adrian

Children