Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I have my XG configured with AD authentication using SSO client. Everything works - each domain user gets what she/he is supose to get. Now when I try to use Synchronized User Id I cannot get it to work. What I see in authentication log is following:
- for SSO client - user name is sent as "samAcconuntName@domain name" which is properly matched to users imported from domain
- for Synchornized User Id - user name is sent as "samAccountName" and XG cannot find such user so authentication fails
My questions is following:
- can I force XG somehow to match "samAccountName" request to user "samAccountName@domain name"
- is there a way to force heartbeat to include domain name as well in packet
I have similar issue.
I posted this also to another thread yesterday:
I am using XG v17.5 with Intercept-X EAP and I have setup heartbeat, but it is acting a little bit strange.
First of all, when I log into my computer with credentials DOMAIN\username, the heartbeat authentication doesn't work at all and in XG authentication logs I can see "username" failed to login because of wrong credentials. There is no mention of DOMAIN anywhere in that log.
When I log into computer with credentials username@domain, heartbeat authetication works, at least for the first 30 minutes (the credentials in logs are also in format username@domain). Everytime after 30 minutes after the first login the heartbeat fails and in the logs I see credentials just stating "username" with no domain failed to login because of wrong credentials. This also happen when I disconnect/reconnect the computer from the network.
In reply to Michal Bartos:
Thanks - it looks like it is eaxactly same issue - I am not sure if this is Endpoint issue or something that can be fixed on XG level
In reply to contact.pl contact.pl:
Yes, exactly same. I also opened a web support query in mid December but after few exchanged e-mails I didn't get any further reply from the support team. But I think this is an Endpoint issue.
It will look for user details. In order to acheive this settings the following conditions must be met..
1. The Sophos Central Account must be linked to Sophos XG firewall.
2. The XG firewall must be connected to the domain controller for authentication.
3. The Users in the Central must have the same Profile. e.g. In the Central account if the user Domain/Username instead of Normal User then their profile must contain the Email address .
4. Same Can be said on the local users on Sophos XG , use the Email address same as mentioned in the Central Profile.
On the Endpoint you may check the username on the Sophos Endpoint UI> About > Run Diagnostics tool. > System
Make sure the email address is the same as the user in both Sophos Central and Sophos XG. At the moment it does seem some improvement is needed to recognise NetBios Name.
In reply to Aditya Patel:
I've tried everything, still the reauthentication after 30 minutes will fail and in the logs on XG the username is stated without domain.
in the logs on XG the username is stated without domain. - same for me
I did quick check - on Endpoint (in diagnostics) I see that my user is recognized as "netbios domain\username", in Central panel user is also visible as "netbios domain\username" but on Sophos XG that user is created as "username@full domain name" (I am not sure if this can be changed) and probably this is why there is a mismatch when heartbeat is reaching XG. I've check and for SSO client to work I had to configure "full domain name" in registry settings to make it work correctly. I was hoping that there is a setting in Endpoint to add "full domain name" to username trasmited or to force XG to create user with name "netbios domain\username". I will do one test - I will try manuall creating user with format "netbios domain\username" on XG and I will see if it helps.
I am just guessing that when username without domain is received in heartbeat message, XG doesn't know which domain server/connection to use and that is why it is failing. Maybe there is an option to force XG to use specific connection when domain is missing?
Endpoint should send the FQDN (domain.toplevel) + user name.
This should lead XG to find: A. the correct AD server to serve this login request, B. the correct Username in XG.
XG will map the Name with the correct FQDN.
Basically the request will be:
User + test.local
XG will look for a AD for test.local. Will take email@example.com and try to authenticate it against this AD server.
PS: I know for sure, this is how it works, because there was an issue back in the days, the Endpoint did not send the FQDN, instead only Netbios. So basically after changing the AD from FQND to netbios, Sync Hb worked, only with user@test (which breaks other stuff... But now it works fine with FQDN).
So the conclusion is, something is going wrong in this process.
Saw couple of customer already running this smoothly.
But sometimes, HB user ID did not work, because there were couple of "missmatches" between SAMAccountname and AD Objects etc.
Exactly the same here.
I also tried editing the user in Sophos Central from DOMAIN\username to username@domain, but still it only works for the first time. After 30 minutes it fails again.
We have previously used SSO without any issues.
Central and all users in Central, should NOT be involved in this process.
Just to be clear. I do not think Paul Digby has the same issue like you guys.
In this Case, it seems to work for 30 Minutes and afterwards "Something" happens in the HB and logs the client out. Seems like other authentication methodes are also in place.
Paul Digby cannot use the HB User ID at all. Please do not start to mix up those issues.
We should try to find an pattern in those issues...
I think both of you mentioned already, that you are also using SSO Client, correct?
Is the SSO Client still in place? Is it still "used" by all your clients? Do you still have the logon script worked?
In reply to LuCar Toni:
Is this reauthentication after 30 minutes normal behavior? Just when this reauthentication happens the username is sent without "@domain" suffix and it fails.
I don't use any other authentication methods except HB. Just when it stops working I will use WebClient auth to continue working and not restarting the computer.
This should not happen. As far as i know and saw in my tests, there were no reauthentication.
And even if there were any reauthentication, it should not use any kind of other authentication method. But maybe your Client performs something every 30 Minutes, which i do not have? Do you use sleep / idle / power safe etc...
So first of all - all of you should open up a support case, to keep track of your issue. This is important. Maybe there is a bug in the Endpoint version, which i am not aware of.
I am not able to help you here in this environment, especially, because authentication will cover sensible data (like passwords etc.). This should not be debugged in a public Community!
Also this will cause a mess. Nobody can track this issue in a community Thread. So we should be clear about what is going on.
Do you have already open up a Case? Did FloSupport Track those cases?
I opened a case #8499307 few weeks ago, but then, after few exchanged e-mails I stoped receiving any replies from support.
It doesn't use different authentication method while reauthentication, it just strips the "@domain" from the username.
The reauthentication after 30 minutes happens on multiple computers with different user accounts while normal work, so the power saver/sleep/idle has nothing to do with this issue
Hi Michal Bartos
Thanks for sharing your case ID with us. I have located it and will follow up accordingly.
Please don't hesitate to reach out to me via PM if you had any further questions regarding your support case.
After some research and reading access_server logs I found issue. In our AD env we are using multiple UPN prefixes for user authentication. When Endpoint is sending heartbeat message it is using UPN defined in AD account tab. If XG doesn't have this prefix configured under any AD server in field "domain name" request is rejected.
My only complain is fact that in log viewer, XG is showing that user was received without any domain while actually reading acces server logs You can see which domain was attached to username in heartbeat message.