2 Replies Latest reply on Aug 31, 2016 1:42 AM by cds

    MWG 7.6.2.2 Domain Auth Failed - Other Ports then TCP 445 needed?

    cds

      Hi,

       

      we updated a MWG from 7.5.2.8 to 7.6.2.2 yesterday and after the update the Windows Domain Authentication did not work any more (Status in Configuration > Windows Domain Membership showed red and user couldn't auth). A restore of a snapshot to the previous version brought us back to a working environment.

       

      Now is the question why did the new version not work? I had a look at the firewall logs and saw in the time after the upgrade several connections on Port 443 from the MWG to one of the DC.

      Removing the Domain Membership and adding the MWG again was possible but auth would not work and the status would switch from green to red again.

       

      Following this Post  Web Gateway domain communication for NTLM authentication we only opened port TCP 445 for access from the MWG to the DC.

      Was there a change somewhere between 7.5 to 7.6 where TCP 443 is also needed for Domain Auth? I did not find anything in the Release Notes.

       

      Thanks for your input.

       

      with kind regards

      Chris

        • 1. Re: MWG 7.6.2.2 Domain Auth Failed - Other Ports then TCP 445 needed?
          Jon Scholten

          Hi Chris,

           

          Are you sure that the 443 traffic wasnt just traffic from the DC to the MWG (because MWG is setup transparently as the proxy)? Was the SYN packet from the DC to the MWG?

           

          Testing on 7.6.2 I dont see any 443 traffic during the domain join.

           

          If the status goes from green to red that tells me there is something else going on. If you take a screenshot of the capture I might be able to tell you where things go wrong. Feel free to redact what you need.

           

          Best Regards,

          Jon

          • 2. Re: MWG 7.6.2.2 Domain Auth Failed - Other Ports then TCP 445 needed?
            cds

            Hi Jon

             

            thanks for the reply. You are probably right. This traffic has nothing to do with the update or the domain join.

            We are going to test the update again but since this is a productive environment we only can do it after work hours so this might take some time.

             

            However in the Debug Auth Logs I found the following entries for another update attempt of the MWG by the customer. Here the update was finished at around at 17:25 then the auth stopped working and a removal of the domain and rejoin did not help.

             

            [2016-08-29 17:25:09.230 +02:00] [4341] NTLM: Exception "timeout during read operation on message socket 421" when reading data from DC x.x.x.101 tmpBuf: 0 fBuf: 0 port: 14152 ms: 15067

            [2016-08-29 17:25:09.234 +02:00] [4340] NTLM: Exception "timeout during read operation on message socket 378" when reading data from DC x.x.x.102 tmpBuf: 0 fBuf: 0 port: 41818 ms: 15038

            [2016-08-29 17:25:09.320 +02:00] [4341] NTLM: Thread 0x7f0dfdb38eb0 Domain <domain> id 6 failed to reconnect to DC x.x.x.101

            [2016-08-29 17:25:09.323 +02:00] [4340] NTLM: Thread 0x7f0dfdb0b190 Domain <domain> id 6 failed to reconnect to DC x.x.x.102

            [2016-08-29 17:25:09.338 +02:00] [7120] NTLM: Disconnected from DC x.x.x.101 in domain <domain>

            [2016-08-29 17:25:09.374 +02:00] [7120] NTLM: Disconnected from DC x.x.x.102 in domain <domain>

            [2016-08-29 17:25:43.108 +02:00] [7120] NTLM: Dropped account in domain <domain>

            [2016-08-29 17:25:43.108 +02:00] [4340] NTLM: Thread 0x7f0dfdb0b190 Domain <domain> id 6 - shutdown (1)

            [2016-08-29 17:25:43.108 +02:00] [4341] NTLM: Thread 0x7f0dfdb38eb0 Domain <domain> id 6 - shutdown (1)

            [2016-08-29 17:26:21.619 +02:00] [7120] NTLM: Registered account for domain <domain>

            [2016-08-29 17:26:21.667 +02:00] [7120] NTLM: Connected to DC x.x.x.101 in domain <domain>

            [2016-08-29 17:26:21.668 +02:00] [7120] NTLM: Updated list of trusted domains for domain <domain>

            [2016-08-29 21:26:21.493 +02:00] [7120] NTLM: Updated list of trusted domains for domain <domain>

             

            But as I said we are going to try another attempt sometime this week and I'm going to dump some traffic and report back here.

             

            with regards

            Chris