Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 470 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD SSO Authentication and site-to-site VPN connection

Sophos User6264

Hello all,

We have a problem with one of our software applications.
We are using SFOS 19.5.0 GA-Build197.

The software needs to connect to a remote server which is only available via site-to-site VPN. The connection is configured and is working (green dot).
In the firewall log I see the VPN rule used for that connection.
Our customers have reported some problems with the software from time to time.
Either the login process fails or after a login, the software stops working with different error messages.
After some testing my conclusion is a problem with the authentication process between the firewall and the software.

If I understand AD SSO correctly, either NTLM or Kerbos is used to authenticate an user. After a few minutes (four to five?), there is a re-authentication required by the firewall. STAS would be an alternative to AD SSO?
Browsers are handling the request successfully, but our software only shows an error and you can't continue.
In Wireshark I see a HTTP package with "Temporary Redirect" or "See other" message and an url to Port 8091/ntlmauth.html and after that package a Reset for the connection.
Port 8091 indicates that an AD SSO authentication is required.

I found that opening the browser or calling an url in the browser will help to fix the problem temporarily and the software can be used again.
Another way is the close the connection of the user in the "Current activities" and "Live users" tab. Than there is no user in the log visible and the software is working fine. After a few minutes the problems will occur again.
I guess the problem is the NTLM/Kerberos authentication which the firewall requires for the connection.

Is there a way to fix this problem? I already tried creating a new rule with webfilter and adding the ip addresses of the servers in the web exception but nothing is working so far.
The ip address are added to our wpad file to "direct" so the webproxy shouldn't handle the request.
Is it possible to deactive the requriement for an authentication for a site-to-site VPN connection? Because after disconnecting the user in the "Live users" tab the connection is working without any user authenticated.

Thank you and best regards

Stefan



This thread was automatically locked due to age.
Parents
  • 0

    AD SSO is something, which is triggered by a web application. So if you have a Firewall rule, which is based on User and you have "AD SSO" Enabled on the Zone, the firewall will try to authenticate the user via AD SSO (Kerberos/NTLM).

    IF you do not need AD SSO, you can disable it by device access.

    If you disable user authentication in the firewall rule, there should be no redirect - Unless the client does not use WPAD. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello LuCar Toni,

    thanks for your response.

    For VPN zone AD SSO is deactivated. For testing I activated it but it didn't change the behavior.

    In the Site-to-site VPN menu the user authentication mode is set to "None".

    The firewall rule is in the group "Automatic VPN Rules". I can't find an option to disable user authentication in the firewall rule. Or is this the "Match known users" and "Use web authentication for unknown users" checkboxes? In the rule, "Match known users" isn't checked.

    In the log viewer when the VPN firewall rule is used, there is still the user listed which has been authenticated by the browser before.

Reply
  • 0 in reply to LuCar Toni

    Hello LuCar Toni,

    thanks for your response.

    For VPN zone AD SSO is deactivated. For testing I activated it but it didn't change the behavior.

    In the Site-to-site VPN menu the user authentication mode is set to "None".

    The firewall rule is in the group "Automatic VPN Rules". I can't find an option to disable user authentication in the firewall rule. Or is this the "Match known users" and "Use web authentication for unknown users" checkboxes? In the rule, "Match known users" isn't checked.

    In the log viewer when the VPN firewall rule is used, there is still the user listed which has been authenticated by the browser before.

Children
  • 0 in reply to Sophos User6264

    Can you remove the WPAD and check again? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I changed proxy settings to "no proxy" on my test client. Opening a browser opens a window for ntlm authentication (which is OK).

    After a few tests, it can happen that even without proxy my user gets authenticated and I run into the same problem.

    In additon instead of the user the computername gets authenticated which is another problem we sometimes have, the browser won't authenticate the user correctly and all websites will be blocked by Sophos.

    After a few minutes the same problem.

    Same error message with "Temporary Redirect" in Wireshark.

    The same workaround can be used. Disconnect the computername in Live users and the connection is working again.

Unfiltered HTML