SSO Transparent Authentication "How To"

Question

Hi, 
 We are with difficulty for authentication client on SSO mode(Single Sign On) transparent authentication. 
 I found a "How to" in site Sophos Community ( community.sophos.com/.../123159 ) but using client "Sophos Single Sign-On Client" installed on workstation. We need to authenticate our windows AD users whithout installing any client, Sophos SSO seems the way to do that but im not been able to do that. Users from AD are autenticating in user portal succesfully but SSO is not working properly as we required. 
 In latest version it was necesary to insert firewall into AD. but in new version i can not see where to do that, and i do not know if it is necessary. 
 
 Thank you for help!

Kranthi · Answer

Here is the entire Configuration in a nut shell. Please undo everything you did with SSO client. One of the best things i Like about the XG firewall SSO is it never uses/exchanges users "Password" with the AD in the whole Client less SSO process 
 
1. You need to Integrate the Active Directory with the XG firewall and make sure the integration is successful. 
 community.sophos.com/.../123155 (Using SSL for integration is an optional config, I recommend use the normal config and if this document works try implementing the SSL) 
 
2. How do you test if the integration is successful? just login to http://firewallip:8090 and authenticate with a user and verify if its successful and if the user is falling in the correct group in the XG firewall. you can check this under System --> Authentication --> Users 
 
3. Follow this document from there on 
 community.sophos.com/.../123156 
 
The only place where you might the problem is when you start the STAS service you might see a logon failure you need have to go to services and open the properties of the STAS and under logon (Re enter the password) 
 
Make sure the WMI polling is working from the Active Directory, you can check it from the advanced tab on the STAS suite or from the windows machine itself 
 
Start --> Run --> wbemtest.exe ==> \ipofworkstationoot\cimv2 --> Query --> select username from win32_computersystem --> Click on Win32 computersystem = Nokey and properties you should see the username. 
 
Note: WMI should be successful for the STAS to work smoothly because the STAS uses WMI as a log off mechanism to verify the users 
 
Please let me know if you have an issue even after I can give you further instructions. 
 
Thanks, 
Kranthi

BrucekConvergent · Answer

Zane -- make sure the XG can reach the STAS service on your domain controllers -- if you have the local Windows Firewall enabled you'll need to add a rule to allow inbound UDP 6677 to the DC for the XG to be able to poll the STAS service.