[Bug?] Sophos UTM forgets Bind DN password

This is still an issue for me on 9.409-9

Even after deleting and recreating the Active Directory entry in Authentication Services > Servers.

Do you use a dedicated AD-User for authentication-requests against the AD?

Is maybe the User blocked in AD?

What happens when you use domain-admin credentials?

Hmm... have serveral Virtual Appliances as well as UTM's and SG's on various customers Sites.

We had the Issue with .408 but I can say it's gone on every Site with .409...

Have you deleted the AD-Server and recreated it from scratch? J.Rivett mentioned above, he had to recreate those entries as well...

We've got 2 Sophos UTM 220 in HA mode. I ran into the exact same issue with 9.407-3. After updating to 9.409-9 the issue is still present.

I tried with a dedicated user with just "authenticated users" permission (which normally shoud be sufficient) and also with domain admin. I also deleted the authenticaton server object and recreated from scratch.

Still getting "Error: Server exists and accepts connections, but bind to ldap://xxx.xxx.xxx.xx:389 failed with this Bind DN and Password"

For what it's worth, I was running 9.408-4 (2 UTM's in HA) and was having this exact same problem.  Yesterday I upgraded to 9.409-9 and the problem went away.

Same problem here. Version 9.409-9 and re-adding the server changes nothing.

Firmware version 9.410-6 was very recently released.  In the release notes, one of the bug fixes (see snip below) may resolve this problem.  Maybe someone from Sophos can confirm?

Fix [NUTM-6356]: [WebAdmin] AD User Test fails after first creation of an authentication server

Updated to 9.410-6. Problem is still unsolved.

It's quite annoying since we have plenty users remotely connecting from outside. Now I had to create a local login inside the UTM for every user instead of using the AD users. Plus guiding every user trough the process of downloading and installing the remote connection tool again.

I can confirm that 9.410-6 has fixed this issue for me on the handful of UTMs I have tested this morning.

I did not have to recreate the authentication server entry either.

Interestingly enough, the latest release 9.411-3 seems to have the same "fix" that was in release 9.410-6 (see snip below taken from 9.411-3 release notes).  Not sure why that is.  Maybe 9.411-3 is an amalgamation of 9.410-6 and a few other bug fixes.  That would seem likely, as my UTM running 9.409-9 doesn't even see 9.410-6 as an update.  I can only upgrade straight to 9.411-3  Anyway, maybe you can try upgrading to see if this release helps?  Please know I don't work for Sophos.  I'm only reporting what I see in the release notes.  Hope this works out for you soon.

Fix [NUTM-6356]: [WebAdmin] AD User Test fails after first creation of an authentication server

Now I finally managed to connect to the authentication server. I'm not sure if this was really the issue but however; this is what I've done:

Our Active Directory Servers are Windows Server 2016 with Security Compliance Manager (SCM) Baselines for Windows Server 2016 Domain Controllers. These baseline policies enforce LDAP server signing (Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> Security Options --> Domain Controller: LDAP server signing requirements - Require signing)

So I changed the authenticaton server in UTM to use SSL and the port to 636. Now I can connect to the authentication server.

@Oliver: You can try with Bind DN as administrator@blue.local instead of CN=BLUE,DC=BLUE,DC=LOCAL

@Oliver: You can try with Bind DN as administrator@blue.local instead of CN=BLUE,DC=BLUE,DC=LOCAL

CORRECTION

@Oliver: You can try with Bind DN as administrator@blue.local instead of CN=ADMINISTRATOR,DC=BLUE,DC=LOCAL

Hi, Asad, and welcome to the UTM Community!  Nice to have another participant from Sophos.

Interesting - do we know when this was added, or has it always worked?

Cheers - Bob

Hello Bob,

Actually it always worked, in case your test connectivity is getting failed with CN=A,DC=B and DC=C you can go to the Windows power shell on the domain controller and run the command as  C:\Users\Administrator> dsquery user

It will show you correct bind DN for each user and you can simply copy and paste the Bind DN into UTM for the required user and it works fine. 

However you can also go with second approach as abc@xyz.local

-Asad

Thanks, Asad - in fact, the dsquery is used in my KnowledgeBase article Configuring HTTP/S proxy access with AD SSO.

Cheers - Bob