Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 19157 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO is completely broken after much testing

ZP.

Hi there

 

We have a case open with sophos support about this also @ #7525784

 

 

After 100's of hours of trying to get SSO working, we believe there is a major problem with the STAS Collector as once users are authenticated - users are then quickly getting removed from the Firewall after a short period of time - say 5 to 10 minutes and therefore are unable to pass traffic through the Firewall.

 

Even with Logoff detection disabled, users are still being dropped, and inside the logs from the STAS Collector, it still shows it trying to find an disable users as below.

I have disabled Log Off detection on the STAS collector, and I have set the dead time at 9 hours - however users get logged off after about 5 minutes. Throughout the logs, the below keeps repeating ; it always checks for expired users and then removes them from the Firewall. Inside the firewall, the users are removed from the tab  Definitions & Users > Client Authentication > GLobal  , and they are blocked at the firewall from passing traffic.

 

 

This issue seems to be well documented throughout these forums .. I would like to know from Sophos what is the solution to this, as I believe the issue is inside the STAS collector - being that by disabled the Log Off detection does not work, and the STAS Collector continues to find and remove users from the Firewall after a period of time.  If this issue was fixed, it would work near perfectly.

 

 

 

 

DEBUG [0x23e4] 9/3/2017 11:22:15 : dca_eventlog: waiting for event log notification
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_timeout_workerthread: Checking for expired users...
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_findExpiredUsers: Username admin.rmorgan+10.200.14.206, CurrentTime 131489113369800000, Stored Time 131489425187143679
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_findExpiredUsers: Username admin.zpole+10.150.100.108, CurrentTime 131489113369800000, Stored Time 131489432936850000
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_findExpiredUsers: Username Administrator+10.150.100.178, CurrentTime 131489113369800000, Stored Time 131489418888420000
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_findExpiredUsers: Username Administrator+10.150.200.57, CurrentTime 131489113369800000, Stored Time 0
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_findExpiredUsers: Username MSwain+10.200.14.207, CurrentTime 131489113369800000, Stored Time 131489316003410000
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_findExpiredUsers: Username SophosSAUZPG-DOC-aaa+10.200.14.111, CurrentTime 131489113369800000, Stored Time 131489427987790000
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_findExpiredUsers: Username zpole+10.200.14.147, CurrentTime 131489113369800000, Stored Time 0
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_findExpiredUsers: 2 expired users found...
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_timeout_workerthread: DeadEntry time expired for the user Administrator Workstation IP 10.150.200.57
ERROR [0xea0] 9/3/2017 11:22:16 : userbd_delete_userinfo: trying to delete user
ERROR [0xea0] 9/3/2017 11:22:16 : userdb_delete_userinfo: UserInfo deleted successfully
INFO [0xea0] 9/3/2017 11:22:16 : remove_user_from_de_repositry: user Administrator with ip 10.150.200.57 removed from DE
DEBUG [0xea0] 9/3/2017 11:22:16 : list_add_tail: first element added
DEBUG [0xea0] 9/3/2017 11:22:16 : dead_entry_timeout_workerthread: DeadEntry time expired for the user zpole Workstation IP 10.200.14.147
ERROR [0xea0] 9/3/2017 11:22:16 : userbd_delete_userinfo: trying to delete user
ERROR [0xb8] 9/3/2017 11:22:16 : USERINFO WAITING INFINITE
DEBUG [0xb8] 9/3/2017 11:22:16 : list_remove_head: last element removed
MSG [0xb8] 9/3/2017 11:22:16 : SSOclient_thread: got userinfo: USER: (null)\Administrator <-> Flags: 4
DEBUG [0xb8] 9/3/2017 11:22:16 : SSOclient_filter_CR_subnet: Entering filter function
DEBUG [0xb8] 9/3/2017 11:22:16 : SSOclient_filter_CR_subnet: authnet not specified, send reqiest to CR
ERROR [0xb8] 9/3/2017 11:22:16 : SSOclient_update_CR: no domain name
ERROR [0xb8] 9/3/2017 11:22:16 : USERNAME Administrator Length 14
ERROR [0xb8] 9/3/2017 11:22:16 : WORKSTN IP 10.150.200.57 Length 14
ERROR [0xb8] 9/3/2017 11:22:16 : SSOclient : PACKET SIZE 213 ㄲ3
DEBUG [0xb8] 9/3/2017 11:22:16 : net_send: bytes sent: 213
DEBUG [0xb8] 9/3/2017 11:22:16 : net_send: full packet sent
MSG [0xb8] 9/3/2017 11:22:16 : SSOclient_thread: Logon/Logout Update sent to: 10.150.150.13:0
ERROR [0xb8] 9/3/2017 11:22:16 : GETTING (USERINFO) FROM QUEUE
DEBUG [0xb8] 9/3/2017 11:22:16 : list_remove_head: list is Empty
ERROR [0xea0] 9/3/2017 11:22:17 : userdb_delete_userinfo: UserInfo deleted successfully
INFO [0xea0] 9/3/2017 11:22:17 : remove_user_from_de_repositry: user zpole with ip 10.200.14.147 removed from DE
DEBUG [0xea0] 9/3/2017 11:22:17 : list_add_tail: first element added
ERROR [0xb8] 9/3/2017 11:22:17 : USERINFO WAITING INFINITE
DEBUG [0xb8] 9/3/2017 11:22:17 : list_remove_head: last element removed
MSG [0xb8] 9/3/2017 11:22:17 : SSOclient_thread: got userinfo: USER: (null)\zpole <-> Flags: 4
DEBUG [0xb8] 9/3/2017 11:22:17 : SSOclient_filter_CR_subnet: Entering filter function
DEBUG [0xb8] 9/3/2017 11:22:17 : SSOclient_filter_CR_subnet: authnet not specified, send reqiest to CR
ERROR [0xb8] 9/3/2017 11:22:17 : SSOclient_update_CR: no domain name
ERROR [0xb8] 9/3/2017 11:22:17 : USERNAME zpole Length 6
ERROR [0xb8] 9/3/2017 11:22:17 : WORKSTN IP 10.200.14.147 Length 14
ERROR [0xb8] 9/3/2017 11:22:17 : SSOclient : PACKET SIZE 165 㘱5
DEBUG [0xb8] 9/3/2017 11:22:17 : net_send: bytes sent: 165
DEBUG [0xb8] 9/3/2017 11:22:17 : net_send: full packet sent
MSG [0xb8] 9/3/2017 11:22:17 : SSOclient_thread: Logon/Logout Update sent to: 10.150.150.13:0
ERROR [0xb8] 9/3/2017 11:22:17 : GETTING (USERINFO) FROM QUEUE
DEBUG [0xb8] 9/3/2017 11:22:17 : list_remove_head: list is Empty
MSG [0x2190] 9/3/2017 11:22:17 : SSO_client_update_heartbeat: cr_node:10.150.150.13 is_active:2
DEBUG [0x2190] 9/3/2017 11:22:17 : net_send: bytes sent: 11
DEBUG [0x2190] 9/3/2017 11:22:17 : net_send: full packet sent
DEBUG [0x23e4] 9/3/2017 11:22:18 : dca_eventlog: received event log notification
DEBUG [0x23e4] 9/3/2017 11:22:18 : dca_eventlog: got security event: ID: 4771 <-> Type: 16
DEBUG [0x23e4] 9/3/2017 11:22:18 : dca_eventlog: waiting for event log notification
DEBUG [0x23e4] 9/3/2017 11:22:22 : dca_eventlog: received event log notification
DEBUG [0x23e4] 9/3/2017 11:22:22 : dca_eventlog: got security event: ID: 4634 <-> Type: 8
DEBUG [0x23e4] 9/3/2017 11:22:22 : dca_eventlog: waiting for event log notification
DEBUG [0x23e4] 9/3/2017 11:22:28 : dca_eventlog: received event log notification



This thread was automatically locked due to age.
  • 0

    I cannot help with STAS as I have not used it, but you could consider ldap as an alternative.  It has better user tracking because it uses browser NTLM data.  See my writeup in tbe wiki.

  • 0 in reply to DouglasFoster

    Thanks for the reply - would you mind to link me to that?

    Will LDAP pickup users logging into their computers on the LAN too ?

     

    Thanks for the reply

  • 0 in reply to ZP.

    Ah found it : https://community.sophos.com/products/unified-threat-management/w/utm-wiki/34/using-ldap-with-active-directory

     

     

     

    Would that allow User Based Firewall rules to work though? All of our firewall rules are User Based , and require the Sophos to pick up users as they login logout kinda thing? We don't use web filtering much, its more for transversal of the Firewall that we require the SSO for . 

  • 0 in reply to ZP.

    You would have to test that.  I use it for extensively for web filtering policies, but not at all for firewall.  

    I fear not, because it relies on the briwser grabbing NTLM tokens and including them in the web request, which is why logon/logout does not need to be tracked and the data is always current.  For firewall traffic, that data would not be present.

    I noticed that your problem occurs because stored time = 0, which is always less tban current time, so tbe user has ti.ef out.  Check for time server problems on your domain controller and utm  and hardware problems on utm

  • 0 in reply to DouglasFoster

    Thanks for your assistance.

     

    Ive checked the time on the UTM9 and on my DC's are both are in sync or within 1 second. I'm unsure what the Stored Time = 0 means - is there something I should change?

     

    Thanks 

  • 0 in reply to ZP.

    I am inferring that stored time is logon rime + max session time, so drop occurs when stored time is less than current time.  Stored time should never be zero, so the question is why is it invalid?  Sophos should have caught that.  So the drop logic is working but the logon logic is not.

  • 0 in reply to DouglasFoster

    I have escalated this to Sophos support to see what they can come back with - thanks for your help 

  • 0 in reply to ZP.

    A couple more wild guesses:

    1) Is a UTM user object getting created for the users with "stored time = 0"?   I am not clear whether or not STAS requires a user object to keep track of the Stored Time data, but if it is required and the object creation fails, it would make sense that an attempt to fetch the stored time could return a default value of zero.

    2) Firmware 9.502 changed the SAMBA version to get away from SMB v1, but in the process created a problem with AD configurations that had more than 5000 user objects.  9.503 tried to correct that, but their first release attempt had to be withdrawn.   if your network is complex enough to have 5000 users in AD, or 5000 user objects in UTM, I wonder if the 5001st user is the one that is getting the "stored time = 0" problem. 

  • 0

    Hi,

    Not reading through the complete thread, but there is an issue with the Dead Entry Timeout. Please configure the value 0 for this entry and enable Log Off detection. Let me know if that helps.

    Thanks

  • 0 in reply to sachingurung

    Thanks for the reply

     

    Will test and update.