Thin Client (SATC) users can't sign in

Users of terminal servers such as Citrix must use a thin client (SATC) to sign in. If authentication fails, follow the steps below to troubleshoot the issue.


Terminal server users are unable to authenticate.


There can be a number of reasons that users are unable to authenticate. Follow the steps below to check that your systems are configured correctly and correct any issues you find.


  1. Sign in to the Sophos Firewall command line interface.
  2. Select option 4. Device Console.
  3. Type the following command:

    system auth thin-client show

    This will list the IP addresses of your terminal servers. Make sure all expected IP addresses are shown.

  4. If the terminal server is not shown in the above steps, add it using the following command:

    system auth thin-client add citrix-ip IPADDRESS

    Replace IPADDRESS with the IP addresses of the server.

  5. On all terminal servers running SATC, open SATC, go to the Sophos Settings tab and verify that the correct IP address is configured for Sophos Firewall under Sophos IP Address. Also, check that the service is running in the Windows task manager.
  6. Check Authentication Server Settings in Sophos Firewall. Go to Authentication > Services and make sure the Active Directory server is selected under Firewall Authentication Methods.
  7. Check if there is any proxy software or security software installed on the server that might change the source port. If there is, Sophos Firewall has a port mismatch and the traffic is treated as unauthenticated.
  8. If you use Internet Explorer, do the following to minimize or disable User Account Control (UAC):

    User Account Control is a security component that allows an administrator to enter credentials during a non-administrator's session to perform administrative tasks.

    1. Log in to your Windows AD server. Click Start, and then click Control Panel.
    2. In Control Panel, click User Accounts.
    3. In the User Accounts window, click User Accounts.
    4. In the User Accounts tasks window, click Turn User Account Control on or off.
    5. Disable Use User Account Control (UAC) to help protect your computer and click OK.
    6. Click Restart Now to apply the change right away.

    If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.

    If UAC is enabled, it doesn't allow the SATC client to send the traffic to Sophos Firewall. As SATC sends the username over port 6060, users don't appear in the live user list. This happens when the Thin Client user accesses the internet with Internet Explorer.

    SATC LSP registers with Winsock for Sophos Firewall to understand the user traffic. When UAC is enabled, Internet Explorer bypasses the LSP registration.

    Note There is no issue with UAC with the Firefox web browser.
  9. If you use Internet Explorer, do the following to disable Enhanced Protected Mode.
    1. Launch Run from Windows Start menu.
    2. In the Run window, type inetcpl.cpl and then click OK.
    3. In the Internet Properties window, click on the Advanced tab.
    4. Scroll down to Security and then turn off Enable Enhanced Protected Mode.
    5. Click Apply and then OK.
  10. If you use Google Chrome, do the following to update Runs network service in-process settings:
    1. Go to chrome://flags.
    2. Search for Runs network service in-process.
    3. Switch the setting to Enabled.
    Users will be able to authenticate via SATC as expected.