Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I have 17 domain controllers configured in Authentication > Servers.
Under Authentication > Services, all my DCs are selected / active.
I am using STAS on my DCs, and have the client loaded on each one; two of which are collectors and the others agents.
PC authentication seems to work fine, as does VPN authentication via AD.
Early in our deployment we found users getting locked out when trying to log on to the VPN.
After some digging, I determined that the Sophos appliance is attempting to authenticate against each and every DC in the list.
If the user mistypes their password, DC 1 responds that the password is wrong and Sophos moves on to DC 2. DC 2 responds wrong password and Sophos moves on to DC 3. This continues until the lockout threshold is reached and the users account is locked.
If the wrong password is entered, Sophos should understand this and simply respond to the user 'incorrect password'.
I can understand Sophos trying to authenticate against the DCs sequentially ONLY IF the prior DC is unreachable or does not respond in a timely fashion.
Temporarily I have increased the lockout threshold for my users.
Long term, I have a couple questions:
Hi Daniel Friedhoff
No, you don't need all of your DCs listed as authentication servers on your XG. STA collectors will need to be added to the XG's list of authentication servers, however STA Agents will not.
Regarding your lockout issue related to failed VPN logins, removing some DC servers from your list will simply result in the XG not checking those servers (less fault tolerance).
For reference regarding setting up fault tolerance for STAS, check out the note here.