AD Authentication / STAS

I have 17 domain controllers configured in Authentication > Servers.

Under Authentication > Services, all my DCs are selected / active.

 

I am using STAS on my DCs, and have the client loaded on each one; two of which are collectors and the others agents.

PC authentication seems to work fine, as does VPN authentication via AD.

 

Early in our deployment we found users getting locked out when trying to log on to the VPN.

After some digging, I determined that the Sophos appliance is attempting to authenticate against each and every DC in the list.

 

If the user mistypes their password, DC 1 responds that the password is wrong and Sophos moves on to DC 2. DC 2 responds wrong password and Sophos moves on to DC 3. This continues until the lockout threshold is reached and the users account is locked.

 

If the wrong password is entered, Sophos should understand this and simply respond to the user 'incorrect password'. 

I can understand Sophos trying to authenticate against the DCs sequentially ONLY IF the prior DC is unreachable or does not respond in a timely fashion.

 

Temporarily I have increased the lockout threshold for my users.

Long term, I have a couple questions:

  • Do I REALLY need all my DCs listed in Authentication because they are running STAS?
  • If I do, what adverse affects will I experience if I remove most of them from the authentication method list  (example: Authentication > Services > SSL VPN auth methods) so that I don't have users getting locked out after 1 mistyped password?

 

Thanks.

  • Hi  

    No, you don't need all of your DCs listed as authentication servers on your XG. STA collectors will need to be added to the XG's list of authentication servers, however STA Agents will not. 

    Regarding your lockout issue related to failed VPN logins, removing some DC servers from your list will simply result in the XG not checking those servers (less fault tolerance).

    For reference regarding setting up fault tolerance for STAS, check out the note here.

    Regards,