M370 Active directory authentication fail after 12.7.2

Hi guys, after 12.7.2 update on our M370 active/passive cluster, the active directory authentication isn't working on the endpoint users.
I've also updated the WG-Authentication-Gateway to 12.7.2 and rebooted the two appliances, checking the System manager -> Tools -> SSO Agents and the registration is present/ok.
No problem for the same users working on Terminal server.

I just opened a case in the support portal.


  • version 12.7.2 is terrible ... a lot of problems

  • Ahhh!! I waited months before upgrade, but probably isn't enough!

  • if you have the possibility to go back to the previous one .... I also have 2 M370 in active / passimo cluster where the upgrade I have great difficulty in navigating the sub domains, open a ticket but for now nothing to do, wait for upgrade ...

  • odd, i had some minor issues upgrading to 12.7.2 but both my clusters and single units are running without issues (as far as i know).

  • the cluster is ok, my problem is browsing the sub domains

  • @drnet said:
    the cluster is ok, my problem is browsing the sub domains


    What subdomains?


  • edited November 2021

    @drnet thank you for the reply, yes I can go back, anyway no other issues in my enviroment, but the local authentication is sufficient for me to go back if the support not solve.

  • @toscanatlc

    more odd. Searching for any of the words DNS_PROBE_FINISHED_NXDOMAIN in dimension the last 24 hours from my clusters do not show any of these events and i have selected ALL in search options.


  • @toscanatlc

    And what i wrote was, i do not have that issue.
  • the problem is random, you have DNSWatch active, abche me on Dimension I don't find anything in the logs

  • I have been struggling with this problem for a month now, I found a workaround by deactivating the DNDcache service on the PC (windows 10), a solution already communicated to technical support, I also downgraded the firmware and in fact the problem no longer occurs.

    for me the problem lies in the DNSWatch service.

  • RyanTaitRyanTait WatchGuard Representative

    It looks like we have a few issues being discussed here.

    @drnet, If you've opened a support case send me the details and I can look into it. Fireware 12.7.2 did not change anything with DNSwatch.

    DNS_PROBE_FINISHED_NXDOMAIN is an error displayed by the browsers and will not appear in any firebox log. I'm somewhat skeptical that disabling the local DNS cache service in windows was the fix. The negative cache (time to keep NXDOMAIN responses cached) is 5 seconds in windows 10 1703 and above. If there is a DNS resolution problem where a hostname cannot be found, the upstream DNS servers should be re-queried quickly.

    @Giacomo , I can have somebody look into your case. The only thing we did in Fireware 12.7.2 with SSO was give you the option to disable Active Directory authentication on the SSO agent. this turns off the TCP port 445 check that SSO would always fall back to.

    Ryan Tait | Support Engineer
    WatchGuard Technologies, Inc. | www.watchguard.com
    Office Hours: 5:00AM - 2:00 PM (Pacific Time), Monday - Friday.

  • Hi Ryan,

    I did not understand, but in any case it is I who sent the ticket and the DNS_PROBE_FINISHED_NXDOMAIN forum, I assure you that by disabling the windws dndcache service the problem will disappear.

  • Update:
    these days I have activated the watchguard portal, I have activated the RDP for mine, the strange thing and by connecting the problem of "DNS_PROBE_FINISHED_NXDOMAIN" does not occur, I am going crazy about it ...

Sign In to comment.