SATC - Mostly Not Working

Hello Gary,

I had exactly the same problem, and "the problem" is that you are using Windows Server 2012 R2. This version of Windows Server as a basic form of authentication uses the Kerberos protocol. All previous versions of Windows Server as the basic form for authentication using NTLM protocol.

The fix for this problem is very simple, please see to this link https://community.sophos.com/products/xg-firewall/f/authentication/83357/stas-problem-with-user-authentication-on-xg-v16 . I added my comment with the screen from the Group Policy Management Editor. This configuration for the Kerberos protocol auditing solved these problems.

Do this configuration, and the problem it solves.

alda

P.S. Please write here if this configuration really helped to you. I asked Sophos to add this configuration to the KB, but until now they did not add this into the KB!

Hello Gary,

I had exactly the same problem, and "the problem" is that you are using Windows Server 2012 R2. This version of Windows Server as a basic form of authentication uses the Kerberos protocol. All previous versions of Windows Server as the basic form for authentication using NTLM protocol.

The fix for this problem is very simple, please see to this link https://community.sophos.com/products/xg-firewall/f/authentication/83357/stas-problem-with-user-authentication-on-xg-v16 . I added my comment with the screen from the Group Policy Management Editor. This configuration for the Kerberos protocol auditing solved these problems.

Do this configuration, and the problem it solves.

alda

P.S. Please write here if this configuration really helped to you. I asked Sophos to add this configuration to the KB, but until now they did not add this into the KB!

Hi Alda,

Thanks for the response and the suggestion.

Before I start making further changes to the security GPO's on my domain can you once  confirm that the problem you were having was with SATC rather than STAS?

Part of what is described in the link you mentioned was done when STAS was configured. Specifically, within the Default Domain Controllers Policy. However, that particular policy remains un-configured for the Default Domain Policy. My STAS implementation is working just fine.

Since the SATC is installed on a non-production Terminal Services server, I edited the local policy such that Logon/Logoff Audit for Success/Failure are now configured. It made no difference to my problem.

Gary

Hello Gary,

the configuration for the Kerberos protocol ( or Advanced Audit Policy Configuration  by Microsoft tongue ) that I did  ( and that I still use in our MS Active Directory domain ) is important for the STAS but for the SATC too. If you have in your MS Active Directory domain at least one Windows Server 2012 R2 or Windows Server 2016 you have to configure the Advanced Audit Policy Configuration ( or Kerberos protocol auditing ).  

The STAS is needed for authorization all users who work directly on any desktop or notebook, directly at their console. But for any other users connected to a MS Terminal Server or any users connected by RDS protocol to any desktop you have to use the SATC authetnication agent. What is according to your description and configuration your case too, I think.

In online manual for XG Single Sign-On clients you could read:

Sophos Authentication for Thin Client (STAC) - Enables transparent authentication for users in Citrix or Terminal Services Environment whereby network credentials can be used to authenticate and the user has to login only once to access network resources.

By this is meant a Windows Terminal Server or any connection to any desktop by RDS protocol. And, of course, you have to install into any Terminal Server client environment ( or any desktop with RDS access ) the Sophos Authentication For Thin Client (SATC) from XG Single Sign-On menu. 

What is also equally important, is the activation of this configuration by command " gpupdate / force " on all domain controllers. 

alda

Hi Alda,

Thanks for all your efforts. However, this hasn't changed the behavior of SATC in any way.

I've made the changes as suggested to the relevant GPO's on both of my DC's. Did 'gpupdate /force' on both DC's plus on the TS that I'm working on. I've even rebooted the TS just to be sure.

The only thing I haven't done is to uninstall SATC then reinstall it. I'll try that later this day.

I've uninstalled then re-installed SATC.

No change to behavior. SATC is not able to enumerate logon/logoff incidents. If the logs are to be believed, it never sees a logon or logoff.

For those of you interested in this "problem" that I have described, there is not yet a resolution.

It's been established by Sophos Support that it is legitimate and the issue has been replicated by the support organization. It is now in the hands of the software developers to come up with a solution.

I'll post further information concerning this as I get it.

Regards,

Gary

Hello.

A costumer has had this exact same problem on one of his servers, however on another server it was working. We then noticed that on the server that was working, he still had an older version of the thin client agent, CATC 2.0.5.4, installed before he did the upgrade from his Cyberroam firewall to the Sophos XG.

We then completely uninstalled SATC 2.6 from the server with problems and downloaded the older client from the Cyberroam page:

https://www.cyberoam.com/cyberoamclients.html

(select "Thin Client", and when uninstalling SATC ensure that there arent any leftovers inside the Sophos folder in Program Files folder)

It started detecting the logon and logoff events correctly then. This was on Windows 2012 R2 Server, by the way.

To finish off, it was also necessary to:

1) On the Domain Controller where STAS is installed, add an IP exception to any terminal server (where you install SATC/CATC) for logon and logoff events

2) Disable UAC on the terminal servers that have SATC/CACT, and to REALLY do it on Windows Server 2012 or newer, you have to edit the registry as stated in:

social.technet.microsoft.com/.../13953.windows-server-2012-deactivating-uac.aspx

Quoting:

"The same approach is still available in Windows Server 2012, though UAC is still active after you selected "Never notify".

You have the option to turn off UAC via registry by changing the DWORD "EnableLUA" from 1 to 0 in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system".

You will get a notification that a reboot is required. After the reboot, UAC is disabled."

So I would like to suggest Sophos:

1) To use this information to try to solve the problem in a newer version of SATC (comparing CATC 2.5 with SATC 2.6)

2) To update the knowledge base in https://community.sophos.com/kb/en-us/125218 with the updated steps to disable UAC on Windows 2012 and newer

3) To fix the screenshot links on https://community.sophos.com/kb/en-us/125218 since they are all broken

To sum up:

1) SATC 2.6 doesn't work (at least on Windows 2012 R2) but CACT 2.5 works (with Sophos XG, fully updated)

2) You need to properly disable UAC on the terminal server(s)

3) You need to place the proper exceptions for the terminal server(s) on STAS

I hope this helps.

Hello Rodrigo,

I will try this later today. I have no doubt that it will work.
I will report back to this forum once I've undertaken the install of CATC 2.5 .

Thanks!

Regards,

Gary

Hi Rodrigo,

This works exactly as it should.

Thanks for the very detailed solution and your efforts in communicating it so clearly!

Once Sophos Devs manage to repair SATC and close my support case,  I'll post back to this thread and let everyone know.

Regards,

Gary Gunderson