Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 4829 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote AD SSO keeps failing

cthorpe
I'm having AD SSO issues where our new Sophos 120 units at our branch offices in NY and FLA keep disconnecting from our primary AD server in AZ and because of that, our users there are getting pop-ups for authentication.  To resolve this issue I had to re-join the domain and it'll work for 3 to 4 hours and then it breaks again.

We have Win2008 R2 RODC servers at both locations under one domain name.

The Sophos units are all connected via Site to Site VPN (IPSEC - AES256). MTU Discovery is checked at all remote gateways.

We have an older Astaro 320 here at the main office in AZ.  All units are on 8.306 (Can't wait for v9 to come out)

The web filter log shows this when users can not authenticate: (this log also appears on the FLA unit as well)

AD SSO works well at the AZ site and I'm guessing there might be some tweaking that needs to be done on the VPN side?

2012:09:13-17:02:23 ny01-proxy httpproxy[6205]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9d432f8" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
2012:09:13-17:02:23 ny01-proxy httpproxy[6205]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.1.252" dstip="" user="Administrator" statuscode="407" cached="0" profile="REF_HttProBlockUsersProfi (Blocked Users Profiles)" filteraction=" ()" size="4593" request="0x9d432f8" url="www.yahoo.com/" exceptions="" error=""
2012:09:13-17:03:02 ny01-proxy httpproxy[6205]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9d432f8" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
2012:09:13-17:03:02 ny01-proxy httpproxy[6205]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.1.252" dstip="" user="administrator" statuscode="407" cached="0" profile="REF_HttProBlockUsersProfi (Blocked Users Profiles)" filteraction=" ()" size="4593" request="0x9d432f8" url="www.yahoo.com/" exceptions="" error=""
2012:09:13-17:05:37 ny01-proxy httpproxy[6205]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9d43898" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
2012:09:13-17:05:37 ny01-proxy httpproxy[6205]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.1.252" dstip="" user="cthorpe" statuscode="407" cached="0" profile="REF_HttProBlockUsersProfi (Blocked Users Profiles)" filteraction=" ()" size="4593" request="0x9d43898" url="www.yahoo.com/" exceptions="" error=""
2012:09:13-17:05:44 ny01-proxy httpproxy[6205]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9d43e38" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
2012:09:13-17:05:44 ny01-proxy httpproxy[6205]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.1.252" dstip="" user="Administrator" statuscode="407" cached="0" profile="REF_HttProBlockUsersProfi (Blocked Users Profiles)" filteraction=" ()" size="4612" request="0x9d43e38" url="versioncheck.addons.mozilla.org/" exceptions="" error=""
2012:09:13-17:05:44 ny01-proxy httpproxy[6205]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9d47478" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
2012:09:13-17:05:44 ny01-proxy httpproxy[6205]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.1.252" dstip="" user="Administrator" statuscode="407" cached="0" profile="REF_HttProBlockUsersProfi (Blocked Users Profiles)" filteraction=" ()" size="4608" request="0x9d47478" url="services.addons.mozilla.org/" exceptions="" error=""


This thread was automatically locked due to age.
  • 0
    When you run the rejoin, did you delete the Astaro object from AD first?  The error indicates a difference in SID.  When you delete the object in AD, wait until the deletion replicates to the RODCs to rejoin.
  • 0
    No I didn't.  Let me try that and I will get back to you.

    Thanks for your reply.
  • 0
    The issue came back and here's the web filter log:

    2012:09:24-11:36:56 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="scr_scanner.c" line="721" message="server 'cffs13.astaro.com' access time: 640ms"
    2012:09:24-11:45:32 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x8bfbcf8" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
    2012:09:24-11:45:32 ny01-proxy httpproxy[14743]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.1.28" dstip="" user="rvasslides" statuscode="407" cached="0" profile="REF_HttProHttpsRestr (HTTPS Restrictions)" filteraction=" ()" size="4609" request="0x8bfbcf8" url="www.google-analytics.com/ga.js" exceptions="" error=""
    2012:09:24-11:45:41 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x8c7c748" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
    2012:09:24-11:45:41 ny01-proxy httpproxy[14743]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.1.28" dstip="" user="rvasslides" statuscode="407" cached="0" profile="REF_HttProHttpsRestr (HTTPS Restrictions)" filteraction=" ()" size="4710" request="0x8c7c748" url="api.bing.com/qsml.aspx
    2012:09:24-11:45:42 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x8c7cb80" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
    2012:09:24-11:45:42 ny01-proxy httpproxy[14743]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.1.28" dstip="" user="rvasslides" statuscode="407" cached="0" profile="REF_HttProHttpsRestr (HTTPS Restrictions)" filteraction=" ()" size="4702" request="0x8c7cb80" url="api.bing.com/qsml.aspx
    2012:09:24-11:45:43 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x8c99478" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
    2012:09:24-11:45:43 ny01-proxy httpproxy[14743]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.1.28" dstip="" user="rvasslides" statuscode="407" cached="0" profile="REF_HttProHttpsRestr (HTTPS Restrictions)" filteraction=" ()" size="4702" request="0x8c99478" url="api.bing.com/qsml.aspx
    2012:09:24-11:45:44 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x8c991a8" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
    2012:09:24-11:45:44 ny01-proxy httpproxy[14743]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.1.28" dstip="" user="rvasslides" statuscode="407" cached="0" profile="REF_HttProHttpsRestr (HTTPS Restrictions)" filteraction=" ()" size="4703" request="0x8c991a8" url="api.bing.com/qsml.aspx
    2012:09:24-11:45:45 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xf5e295e8" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
    2012:09:24-11:45:45 ny01-proxy httpproxy[14743]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.1.28" dstip="" user="rvasslides" statuscode="407" cached="0" profile="REF_HttProHttpsRestr (HTTPS Restrictions)" filteraction=" ()" size="4593" request="0xf5e295e8" url="www.yahoo.com/" exceptions="" error=""
    2012:09:24-11:45:47 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xf5e29cf0" function="auth_adir_auth_crap_callback" file="auth_adir.c" line="888" message="Authorization denied (NT_STATUS_NO_TRUST_SAM_ACCOUNT)"
    2012:09:24-11:45:47 ny01-proxy httpproxy[14743]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.1.28" dstip="" user="rvasslides" statuscode="407" cached="0" profile="REF_HttProHttpsRestr (HTTPS Restrictions)" filteraction=" ()" size="4604" request="0xf5e29cf0" url="www.yahoo.com/favicon.ico" exceptions="cache" error=""
    2012:09:24-11:46:14 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="720" message="reloading config"
    2012:09:24-11:46:15 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="561" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2012:09:24-11:46:15 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="2598" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2012:09:24-11:46:16 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="755" message="reloading config done, new version 49"
    2012:09:24-11:46:46 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="720" message="reloading config"
    2012:09:24-11:46:47 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="561" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2012:09:24-11:46:47 ny01-proxy httpproxy[14743]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="2598" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
  • 0
    In the GPO used to distribute 'Proxy Settings', is the AD server referred to by IP?  If so, try changing that to the internal FQDN.

    Any luck?

    Cheers - Bob
  • 0
    In the meantime, I have not set up a GPO to distribute the proxy settings for the New York office however I've set up a WPAD code 252 in the Windows' DHCP and it is pointing to http://ny01-proxy.marcolinusa.com:8080/wpad.dat which is not Sophos' internal FQDN.

    Do you recommend that I change that to Sophos' internal FQDN?

    Thanks for re-editing the logs as they are easier to read...
  • 0
    Thanks for re-editing the logs as they are easier to read... 

    You're welcome - you can edit your own post so you can see the [/CODE] at the end after the 
     at the beginning.

    

    Well, I'm a bit confused as the FQDN in your URL resolves to an OpenDNS IP in California - does that mean you have a common WPAD file there for all of your offices?  In the WPAD file, the proxy should show the local FQDN for the internal IP of the Astaro.

    

    For instance, asssume the hostname of the Astaro in NY were ny01.yourdomain.com, and the Astaro in that location were joined to your local domain, yourdomain.local, as ny01.  You have local DNS resolve ny01.yourdomain.local to the IP of "Internal (Address)" (say that's 172.16.1.1) for the Astaro.  In your WPAD, replace "172.16.1.1" with ny01.yourdomain.local.

    

    Cheers - Bob
  • 0
    Change our WPAD file to point to their Astaro's FQDN instead of IP.  So far I have not seen or heard any issues from Florida (I'm testing the configurations there first) and if it all goes well, I will do the same for New York.

    I will post if anything changes.

    Again thank you for your responses.
  • 0
    The clue is the crap_callback.  For an explanation, click on the first result of a google on site:astaro.org "auth_adir_auth_crap_callback"

    Cheers - Bob
  • 0
    Here is the web filtering log and our users are getting the authentication pop-up.

    The one thing I keep reading on this forum is to reboot the Astaro to restart the winbindd which I will
    give it a try later in the day.

    2012:09:26-12:23:01 fla01-proxy httpproxy[12128]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x8aa7030" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2012:09:26-12:23:01 fla01-proxy httpproxy[12128]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="x.x.x.x" dstip="" user="mprado" statuscode="407" cached="0" profile="REF_HttProBlockUsersProfi (Blocked Users Profiles)" filteraction=" ()" size="4635" request="0x8aa7030" url="crl.microsoft.com/.../microsoftrootcert.crl" exceptions="av,fileextension" error=""
    2012:09:26-12:23:02 fla01-proxy httpproxy[12128]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x8aa75d0" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2012:09:26-12:23:02 fla01-proxy httpproxy[12128]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="x.x.x.x" dstip="" user="mprado" statuscode="407" cached="0" profile="REF_HttProBlockUsersProfi (Blocked Users Profiles)" filteraction=" ()" size="4630" request="0x8aa75d0" url="crl.microsoft.com/.../CodeSignPCA2.crl" exceptions="av,fileextension" error=""
    2012:09:26-12:23:02 fla01-proxy httpproxy[12128]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x8aa78a0" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2012:09:26-12:23:02 fla01-proxy httpproxy[12128]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="x.x.x.x" dstip="" user="mprado" statuscode="407" cached="0" profile="REF_HttProBlockUsersProfi (Blocked Users Profiles)" filteraction=" ()" size="4624" request="0x8aa78a0" url="crl.microsoft.com/.../WinPCA.crl" exceptions="av,fileextension" error=""
    2012:09:26-12:23:02 fla01-proxy httpproxy[12128]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x8a1a028" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2012:09:26-12:23:02 fla01-proxy httpproxy[12128]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="x.x.x.x" dstip="" user="mprado" statuscode="407" cached="0" profile="REF_HttProBlockUsersProfi (Blocked Users Profiles)" filteraction=" ()" size="4626" request="0x8a1a028" url="mscrl.microsoft.com/.../mswww(5).crl" exceptions="av,fileextension" error=""
    2012:09:26-12:23:02 fla01-proxy httpproxy[12128]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x8a1a730" function="auth_adir_getsid_callback" file="auth_adir.c" line="518" message="winbindd request failed ()"
    2012:09:26-12:23:02 fla01-proxy httpproxy[12128]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="x.x.x.x" dstip="" user="mprado" statuscode="407" cached="0" profile="REF_HttProBlockUsersProfi (Blocked Users Profiles)" filteraction=" ()" size="4681" request="0x8a1a730" url="ctldl.windowsupdate.com/.../disallowedcertstl.cab
  • 0
    The one thing I keep reading on this forum is to reboot the Astaro to restart the winbindd which I will give it a try later in the day.

    If you have changed to kerberos from NTLM by using an FQDN and you're still having the problem, the other suggestion is to remove fla01-proxy from the AD and then rejoin the domain from WebAdmin.

    Cheers - Bob