This article describes the steps to troubleshoot the most common issues when joining Sophos UTM to Active Directory SSO. The following sections are covered:
Applies to the following Sophos products and versions Sophos UTM
The time and date set on AD and the UTM should not be more than five (5) minutes apart. To verify the the time offset, run the following command as a root user:
net ads info -I <IPofAD>
The UTM needs a FQDN which can be resolved in AD. The FQDN of the UTM can be verified under Management > System settings > Hostname.
Also the UTM should be able to resolve the DNS entry for the AD server. This can be verified using the following commands:
host -t SRV _ldap._tcp.dc._msdcs.MYDOMAIN.LOCAL
host -t SRV _kerberos._udp.MYDOMAIN.LOCAL
Joining the AD domain fails if NTLMv1 is not activated. It works only with the following settings: Send LM & NTLM – use NTLMv2 session security if negotiated. For more details, please refer to Network security: LAN Manager authentication level.
Problem: While enabling Active Directory integration in the UTM (Webadmin > Definitions & Users > Authentication Services > Single Sign-On > Active Directory Single-Sign-On (SSO)), the joining process fails with either a Could not test LDAP settings or Could not join the domain error message.
In Active Directory Users and Computers
In Domain Controller Security Settings
If Active Directory Group Policy is defined, then make the change in the Group Policy Management.
In the UTM (Webadmin > Definition & Users > Authentication Services > Single Sign-On > Active Directory Single-Sign-On (SSO)):
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.