Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 27 subscribers
  • Views 19741 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

User failed to login to firewall for one user

Bill Roland

I have a perplexing issue.  I have STAS setup and working, all users are logged into the XG 210 firewall by STAS, except for one.  If I delete him from the "users" table the next time he logs in, it works.  But after he logs out and attempts to log back in, I always get the same error: "User username@domain.com failed to login to Firewall through AD authentication mechanism from 10.1.20.11 because of Login failed."

He shows up within the "live users" on the STAS collector fine.  Literally every other user I have in the same AD infrastructure can login fine.  Unfortunately the log isn't very helpful, it just tells me it failed but not why it failed.

 

Any ideas?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    Hey Luk,

    User is in the same OU as all the others and the same group.  When the XG imports him it does place him in the correct group on the firewall as well.  I'm really stumped. 

  • 0 in reply to Bill Roland

    Thanks Bill.

    Anything useful from AD Security events?

    Anything useful from /var/tslog/access_server.log ?

    Thanks

  • 0 in reply to lferrara

    Potentially something in the access_server.log:

     

    XG210_WP02_SFOS 16.05.3 MR-3# tail -f /var/tslog/access_server.log
    ERROR     May 03 13:40:22 [4131375936]: config_resolve_bwid: BW Policy 0 not found
    ERROR     May 03 13:40:22 [4140821312]: sqlite_db_exec_query_with_res: query failed: 1, 'near "Annecy": syntax error'
    ERROR     May 03 13:40:22 [4140821312]: sqlite_db_handle_request: query execution failed
    ERROR     May 03 13:40:22 [4144871232]: handle_liveuser_insert: SQLITE_REQ_INSERT_LIVEUSER query failed

    The user originally had an ' in his username which I suspected was causing the problem so I removed it, but it seems like it is still seeing it?  The ' is no longer showing up in the STAS live users. 

  • +1 in reply to Bill Roland

    Hi Bill, 

    This issue is identified as a bug and will be resolved in 16.05 MR5. Bug ID NC-14462

  • +1 in reply to Aditya Patel

    Thanks for confirming.  I was able to resolve it by also removing the ' (apostrophe) from their displayName LDAP attribute as well.  Obviously it should be able to handle it, but this will work around for now.  Thanks.