Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 5 subscribers
  • Views 30257 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO Authentication (Standard Mode) suddenly requires authentication for Content Server sites.

ChrisTwigg

Hi All

Yesterday afternoon (03th December aprrox 14:00) most sites that have analytics, which is most. Is all of a sudden asking for credentials.

 

The proxy server has been working perfectly for approx 3 years now without issue or recent change.

 

Original web site http://news.sky.com/entertainment for example.

 

 

I have checked the web log for events and discovered that the user is accepted for the initial site but does not pass credentials for the "Content Server" sites.

 

2015:12:04-12:42:42 utm220-1 httpproxy[23780]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.18.57" dstip="" user="USERNAME" ad_domain="DOMAIN" statuscode="407" cached="0" profile="REF_HttProIt (CARS)" filteraction=" ()" size="2505" request="0xd009000" url="news.sky.com/entertainment" referer="http://news.sky.com/weather" error="" authtime="59" dnstime="0" cattime="0" avscantime="0" fullreqtime="35427" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36" exceptions=""


2015:12:04-12:42:42 utm220-1 httpproxy[23780]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="192.168.18.57" dstip="37.252.163.213" user="USERNAME" ad_domain="DOMAIN" statuscode="200" cached="0" profile="REF_HttProIt (CARS)" filteraction="REF_HttCffItAdminist (IT Administrators)" size="0" request="0xe1a41800" url="ams1.ib.adnxs.com/vevent referer="ams1.ib.adnxs.com/if error="" authtime="75" dnstime="442" cattime="124" avscantime="0" fullreqtime="105602" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36" exceptions="" country="Europe" category="154" reputation="neutral" categoryname="Web Ads" application="appnexus" app-id="802"


2015:12:04-12:42:45 utm220-1 httpproxy[23780]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.18.57" dstip="" user="" ad_domain="" statuscode="407" cached="0" profile="REF_HttProIt (CARS)" filteraction=" ()" size="2505" request="0xe19cb000" url="pagead2.googlesyndication.com/activeview referer="news.sky.com/entertainment" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="146" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36" exceptions=""

 

Could it be a problem with surf protection?

 

Any Ideas.

 

Many thanks

 

Chris



This thread was automatically locked due to age.
  • 0
    Are you using Chrome, if so is it version 47?

    A similar issue has befallen one of our clients where it's asking for authentication all over the shop when was working fine perfectly for a long period.
  • 0 in reply to Emile Belcourt
    Hi Emile, thanks for replying.

    Yes it is version 4.7. Unfortunately it also happens with Internet Explorer 8 and 11.

    It does have a few firmware updates that need applying, I wonder if an UP2Date update has thrown the content filter engine....... We plan to install them this evening.

    Strange and annoying!
  • 0 in reply to ChrisTwigg
    Hi Chris, probably not had a chance yet as its the weekend, any luck on the updates fixing the issue?
  • FormerMember
    0 FormerMember
    We just began having the same exact issue across our network. When pulling up a page only in Chrome, the user is met with the authentication prompt and it repeats for every content or ad server that hosts a link on the page. I opened a ticket with Sophos and haven't heard back. I checked my entire UTM and can't find any configuration errors.
  • FormerMember
    0 FormerMember
    I see this has been reported as a widespread issue.
    code.google.com/.../detail
  • 0 in reply to FormerMember
    Hi

    I've seen a couple of cases of this over the last week. As Emile and Gary point out this seems to be specific to Chrome and NTLM authentication, although I haven't had a chance to do any in depth investigation on this.

    In the cases that I have looked at we have made changes to allow Chrome to use Kerberos rather than NTLM auth, which has worked as a workaround. E.g change the browser proxy settings to FQDN rather than IP address.

    However if you are seeing these symptoms in IE as well as Chrome then this may be a red herring. Wireshark can be used to check whether NTLM or Kerberos is being used. If you are still experiencing this issue then let us know and I can provide more information.

    Greg
  • 0 in reply to GregH

    The Updates did not fix the issue.

    We tried changing the proxy address to FQDN, but no fix.

    The work around used to fix the issue was to disable "Block access on authentication failure"

    The user and site is still queried against active directory and content filtering.

    I appreciate its no ideal, But......

    We roll out GPO proxy settings which cannot be changed.

    Hope it get's fixed soon.

  • 0
    Perhaps I am coming in late to the party, however is this with regard to Microsoft ADFS situation? You have your ADFS proxy prompting for authentication, after authenticating?
    I would look further into the EAP, with regards to browsers. We noticed it on Chrome awhile back, however no update.
  • +1
    Google released a new Chrome version today (47.0.2526.80) that fixes NTLM authentication failure.
  • 0 in reply to caprocha
    One of our clients just emailed me saying this has resolved the issue. Suggest you flag your comment as an answer