There is a known issue where Httpproxy with AD-SSO authentication in transparent mode doesn’t work with IE and Chrome after upgrading to Sophos UTM 9.5. Sophos are aware of this.
Upgrade to Sophos UTM 9.5 MR2 (9.502) which has been released and fixed this issue. Then, if possible update to the latest current version.
A domain re-join is necessary for making AD-SSO to work if you update to 9.502 and the appliance was rebooted between 9.501 and 9.502 update:
The re-join can be done following these steps:
- In the WebAdmin, browse to Definition & Users > Authentication Services > Single Sign-On.
- Type the username with incorrect password in the Active Directory Single-Sign-On (SSO) fields.
- Click Apply.
- Wait for error message in WebAdmin (Joining the domain failed).
- On a domain controller, manually delete the UTM’s computer account from AD; sync changes will ALL domain controllers.
- Type the username with correct password in the Active Directory Single-Sign-On (SSO) fields.
- Wait for error message in WebAdmin (Active Directory SSO saved successfully).
If the appliance has been rebooted between 9.501 installation and 9.502 upgrade, then re-joining will fix Kerberos authentication and ad-sync.
If the appliance has not been rebooted between 9.501 installation and 9.502 upgrade, then re-joining will fix ad-sync. Kerberos authentication would correctly work without re-joining.
The reason for this is that the machine password (that was changed via net ads changetrustpw) is lost during mdw restart.