Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Synchronized User ID and username with domain name not working

I have my XG configured with AD authentication using SSO client. Everything works - each domain user gets what she/he is supose to get. Now when I try to use Synchronized User Id I cannot get it to work. What I see in authentication log is following:

- for SSO client - user name is sent as "samAcconuntName@domain name" which is properly matched to users imported from domain

- for Synchornized User Id - user name is sent as "samAccountName" and XG cannot find such user so authentication fails

My questions is following:

- can I force XG somehow to match "samAccountName" request to user "samAccountName@domain name"

- is there a way to force heartbeat to include domain name as well in packet

 

Pawel



This thread was automatically locked due to age.
Parents
  • Hi Pawel,

    It will look for user details.  In order to acheive this settings the following conditions must be met..

    1. The Sophos Central Account must be linked to Sophos XG firewall.

    2. The XG firewall must be connected to the domain controller for authentication.

    3. The Users in the Central must have the same Profile. e.g. In the Central account if the user Domain/Username instead of Normal User then their profile must contain the Email address .

    4. Same Can be said on the local users on Sophos XG , use the Email address same as mentioned in the Central Profile.

    On the Endpoint you may check the username on the Sophos Endpoint UI> About > Run Diagnostics tool. > System

    Make sure the email address is the same as the user in both Sophos Central and Sophos XG. At the moment it does seem some improvement is needed to recognise NetBios Name.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi Aditya,

     

    I did quick check - on Endpoint (in diagnostics) I see that my user is recognized as "netbios domain\username", in Central panel user is also visible as "netbios domain\username" but on Sophos XG that user is created as "username@full domain name" (I am not sure if this can be changed) and probably this is why there is a mismatch when heartbeat is reaching XG. I've check and for SSO client to work I had to configure "full domain name" in registry settings to make it work correctly. I was hoping that there is a setting in Endpoint to add "full domain name" to username trasmited or to force XG to create user with name "netbios domain\username". I will do one test - I will try manuall creating user with format "netbios domain\username" on XG and I will see if it helps.

    I am just guessing that when username without domain is received in heartbeat message, XG doesn't know which domain server/connection to use and that is why it is failing. Maybe there is an option to force XG to use specific connection when domain is missing?

    Pawel

Reply
  • Hi Aditya,

     

    I did quick check - on Endpoint (in diagnostics) I see that my user is recognized as "netbios domain\username", in Central panel user is also visible as "netbios domain\username" but on Sophos XG that user is created as "username@full domain name" (I am not sure if this can be changed) and probably this is why there is a mismatch when heartbeat is reaching XG. I've check and for SSO client to work I had to configure "full domain name" in registry settings to make it work correctly. I was hoping that there is a setting in Endpoint to add "full domain name" to username trasmited or to force XG to create user with name "netbios domain\username". I will do one test - I will try manuall creating user with format "netbios domain\username" on XG and I will see if it helps.

    I am just guessing that when username without domain is received in heartbeat message, XG doesn't know which domain server/connection to use and that is why it is failing. Maybe there is an option to force XG to use specific connection when domain is missing?

    Pawel

Children
  • Endpoint should send the FQDN (domain.toplevel) + user name.

    This should lead XG to find: A. the correct AD server to serve this login request, B. the correct Username in XG. 

    XG will map the Name with the correct FQDN.

    Basically the request will be:

    User + test.local 

    XG will look for a AD for test.local. Will take user@test.local and try to authenticate it against this AD server. 

     

    https://community.sophos.com/kb/en-us/133190

     

    PS: I know for sure, this is how it works, because there was an issue back in the days, the Endpoint did not send the FQDN, instead only Netbios. So basically after changing the AD from FQND to netbios, Sync Hb worked, only with user@test    (which breaks other stuff... But now it works fine with FQDN). 

     

    So the conclusion is, something is going wrong in this process. 

    Saw couple of customer already running this smoothly. 

    But sometimes, HB user ID did not work, because there were couple of "missmatches" between SAMAccountname and AD Objects etc. 

     

    __________________________________________________________________________________________________________________

  • Exactly the same here.

    I also tried editing the user in Sophos Central from DOMAIN\username to username@domain, but still it only works for the first time. After 30 minutes it fails again.

    We have previously used SSO without any issues.

  • Central and all users in Central, should NOT be involved in this process. 

     

    Just to be clear. I do not think  has the same issue like you guys. 

     

    In this Case, it seems to work for 30 Minutes and afterwards "Something" happens in the HB and logs the client out. Seems like other authentication methodes are also in place. 

     cannot use the HB User ID at all. Please do not start to mix up those issues. 

     

     

     

     

    --------------------------------------

     

    We should try to find an pattern in those issues...

    I think both of you mentioned already, that you are also using SSO Client, correct? 

    Is the SSO Client still in place? Is it still "used" by all your clients? Do you still have the logon script worked? 

    __________________________________________________________________________________________________________________

  • Is this reauthentication after 30 minutes normal behavior? Just when this reauthentication happens the username is sent without "@domain" suffix and it fails.

    I don't use any other authentication methods except HB. Just when it stops working I will use WebClient auth to continue working and not restarting the computer.

  • This should not happen. As far as i know and saw in my tests, there were no reauthentication. 

    And even if there were any reauthentication, it should not use any kind of other authentication method. But maybe your Client performs something every 30 Minutes, which i do not have? Do you use sleep / idle / power safe etc...

     

     

    So first of all - all of you should open up a support case, to keep track of your issue. This is important. Maybe there is a bug in the Endpoint version, which i am not aware of. 

    I am not able to help you here in this environment, especially, because authentication will cover sensible data (like passwords etc.). This should not be debugged in a public Community! 

     

    Also this will cause a mess. Nobody can track this issue in a community Thread. So we should be clear about what is going on. 

    Do you have already open up a Case? Did  Track those cases? 

    __________________________________________________________________________________________________________________

  • I opened a case #8499307 few weeks ago, but then, after few exchanged e-mails I stoped receiving any replies from support.

    It doesn't use different authentication method while reauthentication, it just strips the "@domain" from the username.

    The reauthentication after 30 minutes happens on multiple computers with different user accounts while normal work, so the power saver/sleep/idle has nothing to do with this issue

  • Hi  

    Thanks for sharing your case ID with us. I have located it and will follow up accordingly.

    Please don't hesitate to reach out to me via PM if you had any further questions regarding your support case.

    Best,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids