Skip to content

Troubleshooting authentication

Investigate and resolve common authentication issues.

You'll typically need access to Sophos Firewall, the authentication server, and an endpoint device that fails authentication to troubleshoot authentication issues.

Client devices fail authentication when Kerberos and NTLM are configured.

Some common issues for authentication failure are as follows:

  • Configuration errors.
  • Domain join failures.
  • The key version number (KVNO) in Kerberos doesn't match between endpoints and Sophos Firewall.

To resolve the issue, do as follows:

  1. Go to Authentication > Servers.
  2. Click your AD server and then click Test connection.

    If the connection fails, you must resolve the AD connectivity issues before you continue.

  3. Go to Rules and policies > Firewall rules to check whether there's a rule in place to allow Kerberos and NTLM traffic. If there isn't a rule, you must create one.

  4. Go to Administration > Device access, and make sure AD SSO is configured for the zone that clients authenticate from. This is typically your LAN zone.
  5. If you configure Sophos Firewall as an explicit proxy, make sure you use the hostname in the browser settings. If you use an IP address, the client allows only NTLM authentication.
  6. Sign in to the firewall command line interface.
  7. Select option 5. Device Management, then select option 3. Advanced Shell.
  8. Use the following command to check the nasm service is running:

    service -S | grep -i "nasm"
  9. Check the Kerberos keytab matches on both the endpoint and Sophos Firewall.

    1. On the endpoint computer, open a command prompt and run the following commands:

      setspn -Q */proxyhostname

      Change proxyhostname to the FQDN of Sophos Firewall.

  10. Open PowerShell.

  11. To get the KVNO number from AD, run the following commands:

    Run the following command:

    get-aduser <USERNAME> -property msDS-KeyVersionNumber

    Change <USERNAME> to the username of the user you're querying.

    Run the following command:

    get-adcomputer <COMPUTERNAME>$ -property msDS-KeyVersionNumber

    Change <COMPUTERNAME> to the name of the machine you're querying.

  12. Open the advanced shell in Sophos Firewall.

  13. Run the following command:

    chroot /content/nasm
  14. At the next prompt, run the following command:

    /oss/klist -e -k /tmp/krb5.keytab

    The output will look similar to this:

    Kerberos keytab details

  15. Check that the proxy name matches on both the endpoint and Sophos Firewall. This is case-sensitive.

  16. Check that the KVNO matches between both the endpoint and Sophos Firewall.
  17. If the proxy name doesn't match between the endpoint and Sophos Firewall, make sure the host record in AD for the firewall matches the hostname configured under Administration > Admin settings > Hostname.
  18. If the KVNO doesn't match, the user must sign out and back into their account, or you must rejoin Sophos Firewall to the domain. Normally this issue is caused when the hostname of Sophos Firewall is changed.

Terminal server users are unable to sign in

Users of terminal servers such as Citrix must use a thin client (SATC) to sign in.

There can be several reasons that users are unable to authenticate. To check that your systems are configured correctly, and correct any issues you find, do as follows:

  1. Sign in to the Sophos Firewall command line interface (CLI).
  2. Select option 4. Device Console.
  3. Run the following command:

    system auth thin-client show

    This lists the IP addresses of your terminal servers. Make sure all expected IP addresses are shown.

  4. If the terminal server isn't shown in the steps above, add it using the following command:

    system auth thin-client add citrix-ip <IPADDRESS>

    Replace IPADDRESS with the IP addresses of the server.

  5. On all terminal servers running SATC, open SATC, go to the Sophos Settings tab, and check that the correct IP address is configured for Sophos Firewall under Sophos IP Address. Also, check that the service is running in the Windows task manager.

  6. Check Authentication Server Settings in Sophos Firewall. Go to Authentication > Services and make sure the Active Directory server is selected under Firewall Authentication Methods.
  7. Check if any proxy or security software installed on the server might change the source port. If there is, Sophos Firewall has a port mismatch, and the traffic is treated as unauthenticated.
  8. If you use Internet Explorer, to minimize or turn off User Account Control (UAC), do as follows:

    1. Log in to your Windows AD server. Click Start, and then click Control Panel.
    2. In Control Panel, click User Accounts.
    3. In the User Accounts window, click User Accounts.
    4. In the User Accounts tasks window, click Turn User Account Control on or off.


      User Account Control is a security component that allows an administrator to enter credentials during a non-administrator's session to perform administrative tasks.

    5. Turn off Use User Account Control (UAC) to help protect your computer and click OK.

    6. Click Restart Now to apply the change right away.


    If UAC is currently configured in Admin Approval Mode, the User Account Control message appears. Click Continue.


    If UAC is turned on, it doesn't allow the SATC client to send the traffic to Sophos Firewall. As SATC sends the username over port 6060, users don't appear in the live user list. This happens when the SATC user accesses the internet with Internet Explorer.

    SATC LSP registers with Winsock for Sophos Firewall to understand the user traffic. When UAC is turned on, Internet Explorer bypasses the LSP registration.

    There's no issue with UAC with the Firefox web browser.

To turn off Enhanced Protected Mode, do as follows:

  1. Launch Run from the Windows Start menu.
  2. In the Run window, type inetcpl.cpl and then click OK.
  3. In the Internet Properties window, click the Advanced tab.
  4. Scroll down to Security and then turn off Enable Enhanced Protected Mode.
  5. Click Apply and then OK.

To update the Runs network service in-process settings, do as follows:

  1. In your chrome browser, go to chrome://flags.
  2. Search for Runs network service in-process.
  3. Switch the setting to Enabled.

Users will now be able to authenticate via SATC as expected.