Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 8 subscribers
  • Views 24985 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD-SSO domain join not working

SebastianWirth

Hi guys,

I tried to connect my Sophos UTM 9 with our DC, so that I can use SSO with standard proxy feature.

Sadly Sophos tells me all the time, that domain join not working. Thats why I searched the discussions and the Knowledgebase and find some tips but nothing worked for me.

Quite odd is that the sophos utm shows up in computers section of dc, but the sso feature is still not working.


I checked system times of both systems (using the same ntp server), time zones, hostname is FQDN, utm is registered in dns and the dns forwarder is set up like described in DNS Best Practice (https://www.sophos.com/de-de/support/knowledgebase/120283.aspx)

We´re using 6 DCs in our domain. Main dc is using W2K12 but there is also a DC using W2K8R2. I saw the Workaround (https://www.sophos.com/de-de/support/knowledgebase/121344.aspx) but its not so easy to reboot he system.


My Questions:

  • Why does the SSO / domain join is not working, although the utm shows up in DC computers?
  • Which dc is used by utm for joining the domain?
  • If the problem is caused by W2k12 and SMB, is there any chance to use the W2K8R2 Server instead (this server is set up under dns request router s in utm)?
  • Any other ideas that I might missed?

Thanks for your support.



This thread was automatically locked due to age.
  • 0

    Hi, Sebastian, and welcome to the UTM Community!

    That DNS Best Practice article was lifted from a post I maintain over a year ago, so I don't know if the person that's taking care of the KB article has integrated the changes made to my post - DNS Best Practice.  You might want to compare your current setup to that.

    If you've also followed #1 in Rulz, then I don't think you have a problem you can solve in WebAdmin although changing the AD Server configured on the 'Server' tab to the W2K8 server and changing your Request Route to the same might work.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0


    As mentioned, follow DNS best practice ensuring you can resolve your domain name to the DC server. Also ensure your UTM has a FQDN and is resolvable by the DC server itself. 

  • 0 in reply to itsfruity

    Since I opened this topic I did some updates and tried it some more times. Sadly nothing of your tips worked for me. DNS settings are as you described in you best practice, the DNS Request Routing server is the Win2k8 Server on which it domain join should work without any problem.

    Searching my logfiles I found an entry in "configuration deamon" which is as follow: "Failed to join domain: failed to set machine spn: Operations error"

    All solution I found was about DNS settings, and I´m quite sure they are ok.

    Any ideas?

  • 0 in reply to SebastianWirth

    I had this issue.

    The only way I could get it to work was to set my DNS forwarders on the UTM to my local DNS server.

    Then the UTM joined the Domain with no issues.

  • 0 in reply to SebastianWirth

    Hi Sebastian,

    I suggest you to add a static entry of UTM's hostname in AD. 

    Thanks

    Sachin Gurung

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    @Alex:

    I tried that, but it not worked. Right now I use the setup like described in the DNS Best Practice (Availability Group with DNS servers).

    @Saching Gurung:

    What exactly is the sense behind this? As described in my original post, the UTM shows up in AD (object is created) but SSO still not working. I don´t think it will work if i add it manually in AD, or?

  • 0 in reply to AlexHarding

    Hi, Alex, and welcome to the UTM Community!

    If you had gone to my DNS Best Practice link above, section 4 would have given you the same result.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi,

    I Came up with the same issue for one of our client and after scratching my head out for an hour I found out that though I had synchronized the time with NTP, the sync didnt take place right away and the time on the UTM was still different to that of the NTP or the so called Active directory domain controller. I had to manually change the time on UTM master and reboot the device. It worked like a charm.

    (Also I had removed the existing computer name for this UTM from the Active Directory Domain).

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?