Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 2579 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SG: OTP doesn't work with WAF, OTP with Userportal works well

Peter Leibling

Hello, i configure OTP for protecting Exchange 2016 OWA and ECP. The OTP works for Userportal well (login with Username / Password + PIN).

But, if i open ECP or OWA i get the Logon Screen - now i can not login with Username / Password + PIN, but if i use only Username / Password (WITHOUT PIN!) i can logon.

What is the problem?!? It seem's that the SG doesn't add the PIN for the compare of the Password?!?

 

My configuration (sorry in German, but the Screenshots in English): https://www.leibling.de/owa-und-ecp-mit-sophos-per-2fa-bzw-otp-zusaetzlich-schuetzen/

OTP Based on: https://networkguy.de/?p=996

WAF based on: https://networkguy.de/?p=998 and https://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016/

Sophos SG is Home License, Version 9.601-5, in front of WAN is an Cable Router (Transit Network 192.168.178.0/24, Sophos is Exposed Host).

Are other informations required for help?

 

Thanks a lot for your Help and have a nice Weekend  :).



This thread was automatically locked due to age.
  • 0

    If PIN is not required, the login may not be coming from UTM.

    You either have an OTP exception (check OTP scope settings(.?, or UTM is already logged in butt Exchange did not get the Basic Authentication autologin.

  • 0 in reply to DouglasFoster

    Hello DouglasFoster, thanks for your fast reply.

    I changed the Authentification to BasicAuth on IIS and reboot the Server.

    Then i open my OWA Address with my Webbrowser - then i get the OTP Loginform. Then i put my Username and Passwort + PIN into the Field and try to logon, but get an Logonerror (From Loginform of the Sophos) - then i check only Username and Password (without PIN!), then i get the OWA Loginform (i'm not direct logged in) and have to Login again.

    Now there are more qeuestions:

    a) After Login via the OTP Login, have i to logon a second time?

    b) What do you mean with OTP Scope, where i can find or configure them?

    c) What is the problem, why it doesn't work with Password + PIN?!?

    Thanks a lot for help :).

  • 0 in reply to DouglasFoster

    Hello DouglasFoster, thanks for your fast reply. I changed the Authentification to BasicAuth on IIS and reboot the Server. Then i open my OWA Address with my Webbrowser - then i get the OTP Loginform. Then i put my Username and Passwort + PIN into the Field and try to logon, but get an Logonerror (From Loginform of the Sophos) - then i check only Username and Password (without PIN!), then i get the OWA Loginform (i'm not direct logged in) and have to Login again. Now there are more qeuestions: a) After Login via the OTP Login, have i to logon a second time? b) What do you mean with OTP Scope, where i can find or configure them? c) What is the problem, why it doesn't work with Password + PIN?!? Thanks a lot for help :).

  • +1 in reply to Peter Leibling

    If I understand correctly:

    • UTM is logging in as expected.
    • The website login is still appearing.

    Either UTM is not passing the Basic Authentication, or there is a problem with what it is passing.   

    You need to configure a Reverse Authentication object that enables Basic Authentication.   Then you need to apply that Reverse Authentication object to each Site Path Routing object where it is appropriate.   

    If this is configured but not working, you may need to enable the affix option (prefix or suffix), so that UTM passes the username in the format specified by your website or web application.

  • 0 in reply to DouglasFoster

    Ok, One (big!) Step forward :).

    Now i can login with my Username / Password + PIN - but the problem is not solved, the login to OWA doesn't work - but i'm very near on the solution.

    I think its something wrong with the Basic Auth or the Username.

    I will try your tips.

Unfiltered HTML