This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Bug?] Sophos UTM forgets Bind DN password

Hello. I have the strangest problem with our UTM (9.408-4): it does not save the password to bind to LDAP. If I enter the right password and test, everything is fine; but if I save and come back, I get the message "Error: Server exists and accepts connections, but bind to ldap://1.2.3.4:389 failed with this BindDN and password."

I can reenter the password and it will work again, but not after saving. As I have about 20 server entries, this is very annoying whenever I need to test VPN authentication. Quid?

 

Edit: This does not happen on my older Sophos UTMs (9.407-3), only on those updated to 9.408-4, so I am assuming this is a bug in the latest build.



This thread was automatically locked due to age.
Parents
  • This is still an issue for me on 9.409-9

    Even after deleting and recreating the Active Directory entry in Authentication Services > Servers.

  • Do you use a dedicated AD-User for authentication-requests against the AD?

    Is maybe the User blocked in AD?

    What happens when you use domain-admin credentials?

    Regards,

    Thorsten

    ---------------------------------------------------------------------

    Using Sophos XG or UTM with Wifi Hotspot and Password of the Day?
    Try our FREE Password of the Day APP!

    For Sophos UTM
    Apple iOS: https://apple.co/1YzD2vU
    Google Android: https://bit.ly/23ELyRq
    For Sophos XG
    Apple iOS: https://appsto.re/de/aZjTdb.i
    Google Android: https://bit.ly/2bbimf1
  • Same problem here. Version 9.409-9 and re-adding the server changes nothing.

  • Firmware version 9.410-6 was very recently released.  In the release notes, one of the bug fixes (see snip below) may resolve this problem.  Maybe someone from Sophos can confirm?

     

    Fix [NUTM-6356]: [WebAdmin] AD User Test fails after first creation of an authentication server

    -------------------------------

    Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]

    A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.

  • Updated to 9.410-6. Problem is still unsolved.

    It's quite annoying since we have plenty users remotely connecting from outside. Now I had to create a local login inside the UTM for every user instead of using the AD users. Plus guiding every user trough the process of downloading and installing the remote connection tool again.

  • I can confirm that 9.410-6 has fixed this issue for me on the handful of UTMs I have tested this morning.

    I did not have to recreate the authentication server entry either.

  • Interestingly enough, the latest release 9.411-3 seems to have the same "fix" that was in release 9.410-6 (see snip below taken from 9.411-3 release notes).  Not sure why that is.  Maybe 9.411-3 is an amalgamation of 9.410-6 and a few other bug fixes.  That would seem likely, as my UTM running 9.409-9 doesn't even see 9.410-6 as an update.  I can only upgrade straight to 9.411-3  Anyway, maybe you can try upgrading to see if this release helps?  Please know I don't work for Sophos.  I'm only reporting what I see in the release notes.  Hope this works out for you soon.

    Fix [NUTM-6356]: [WebAdmin] AD User Test fails after first creation of an authentication server

    -------------------------------

    Interesting [in-ter-uh-sting, -truh-sting, -tuh-res-ting]

    A word typically used by IT technicians to describe an issue they didn't expect, or never encountered, and don't know how to fix.

  • Now I finally managed to connect to the authentication server. I'm not sure if this was really the issue but however; this is what I've done:

    Our Active Directory Servers are Windows Server 2016 with Security Compliance Manager (SCM) Baselines for Windows Server 2016 Domain Controllers. These baseline policies enforce LDAP server signing (Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Local Policies --> Security Options --> Domain Controller: LDAP server signing requirements - Require signing)

    So I changed the authenticaton server in UTM to use SSL and the port to 636. Now I can connect to the authentication server.

  • @Oliver: You can try with Bind DN as administrator@blue.local instead of CN=BLUE,DC=BLUE,DC=LOCAL

    -Asad

  • CORRECTION

    @Oliver: You can try with Bind DN as administrator@blue.local instead of CN=ADMINISTRATOR,DC=BLUE,DC=LOCAL

    -Asad

  • Hi, Asad, and welcome to the UTM Community!  Nice to have another participant from Sophos.

    Interesting - do we know when this was added, or has it always worked?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    Actually it always worked, in case your test connectivity is getting failed with CN=A,DC=B and DC=C you can go to the Windows power shell on the domain controller and run the command as  C:\Users\Administrator> dsquery user

    It will show you correct bind DN for each user and you can simply copy and paste the Bind DN into UTM for the required user and it works fine. 

    However you can also go with second approach as abc@xyz.local

    -Asad

     

    -Asad

Reply
  • Hello Bob,

    Actually it always worked, in case your test connectivity is getting failed with CN=A,DC=B and DC=C you can go to the Windows power shell on the domain controller and run the command as  C:\Users\Administrator> dsquery user

    It will show you correct bind DN for each user and you can simply copy and paste the Bind DN into UTM for the required user and it works fine. 

    However you can also go with second approach as abc@xyz.local

    -Asad

     

    -Asad

Children