Synchronized User ID and username with domain name not working

Question

I have my XG configured with AD authentication using SSO client. Everything works - each domain user gets what she/he is supose to get. Now when I try to use Synchronized User Id I cannot get it to work. What I see in authentication log is following: 
 - for SSO client - user name is sent as "samAcconuntName@domain name" which is properly matched to users imported from domain 
 - for Synchornized User Id - user name is sent as "samAccountName" and XG cannot find such user so authentication fails 
 My questions is following: 
 - can I force XG somehow to match "samAccountName" request to user "samAccountName@domain name" 
 - is there a way to force heartbeat to include domain name as well in packet 
 
 Pawel

contact.pl contact.pl · Accepted Answer

After some research and reading access_server logs I found issue. In our AD env we are using multiple UPN prefixes for user authentication. When Endpoint is sending heartbeat message it is using UPN defined in AD account tab. If XG doesn't have this prefix configured under any AD server in field "domain name" request is rejected. 
 My only complain is fact that in log viewer, XG is showing that user was received without any domain while actually reading acces server logs You can see which domain was attached to username in heartbeat message. 
 Pawel

LuCar Toni · Answer

Hi all, 
 
 This limitation should be fixed. 
 I actually could successful test it. 
 
 My Setup:

Basically a user with SAMA as sAMAccountname and UPN as UPN. 
 Hope you can follow me. 
 
 Now login via Windows.

Check the XG:

:)

Manuel Franz1 · Answer

Solution is really create one server for each public domain (UPN suffix). 
 In my case customer has 1 DC and 5 UPNs. 
 Ex. customer has mycompany.prv FQDN domain and company for NetBios Name. Of365 Domains are mycompany.it; yourcompany.eu, dontcare.com. 
 I created DNS CNAME: 
 mycompany.mycompany.prv -> DC Name 
 yourcompany.mycompany.prv -> DC Name 
 dontcare.mycompany.prv -> DC Name 
 .. 
 Than inside XG y ou create your servers as many as your UPNs

LuCar Toni · Answer

In XG, user are unique. Do you have bob as user name, and bob exists in two different ADs, there will be two different bobs in XG (with different UPNs). 
 So basically, XG uses this mechanism, if you do not give a UPN with the authentication (bob and not bob@domain.com). 
 And this mechanism is used in case of Sync-Sec User ID. XG is looking for the UPN defined Server, if this is not existing, the authentication will fail. 
 
 User Portal is quite interesting. User Portal Authentication is placed with the firewall authentication. All mechanism, used by XG firewall like STAS, Sync-sec User ID etc. is used to create the user in context of existing.

This works across all facilities in XG with AD. 
 
 To warp up: 
 You are giving XG only the username, it will try this query with all AD Servers, configured until one will allow this request. 
 You are giving XG UPN (username + domain), it will try only the matching AD server in XG.

LuCar Toni · Answer

Did you create the Server as different DNS Namens in XG? 
 Can XG resolve both DNS to the same server?

Aditya Patel · Answer

Hi Pawel, 
 It will look for user details. In order to acheive this settings the following conditions must be met.. 
 1. The Sophos Central Account must be linked to Sophos XG firewall. 
 2. The XG firewall must be connected to the domain controller for authentication. 
 3. The Users in the Central must have the same Profile. e.g. In the Central account if the user Domain/Username instead of Normal User then their profile must contain the Email address . 
 4. Same Can be said on the local users on Sophos XG , use the Email address same as mentioned in the Central Profile. 
 On the Endpoint you may check the username on the Sophos Endpoint UI> About > Run Diagnostics tool. > System 
 Make sure the email address is the same as the user in both Sophos Central and Sophos XG. At the moment it does seem some improvement is needed to recognise NetBios Name.

LuCar Toni · Answer

This should not happen. As far as i know and saw in my tests, there were no reauthentication. 
 And even if there were any reauthentication, it should not use any kind of other authentication method. But maybe your Client performs something every 30 Minutes, which i do not have? Do you use sleep / idle / power safe etc...

So first of all - all of you should open up a support case, to keep track of your issue. This is important. Maybe there is a bug in the Endpoint version, which i am not aware of. 
 I am not able to help you here in this environment, especially, because authentication will cover sensible data (like passwords etc.). This should not be debugged in a public Community! 
 
 Also this will cause a mess. Nobody can track this issue in a community Thread. So we should be clear about what is going on. 
 Do you have already open up a Case? Did FloSupport Track those cases?

LuCar Toni · Answer

You can simply deactivate Synchronized User ID and use an alternative / Pre V17.5 User Authentication until there is a way to work with this feature for this customer. 
 The Point is, Synchronized User ID is not an Security Feature of the Synchronized Security Story. It is just another approach to simplify the authentication. 
 All "Security Features" of Synchronized Security will work without Synchronized User ID. 
 Here is a command "how to deactivate this feature". 
 https://community.sophos.com/kb/en-us/133190

FloSupport · Answer

Hi Community, 
 To follow up regarding Ste it was related to the known behaviour regarding: "UPN must be identical to sAMAccountName to make the login successful as the sAMAccountName is used by the XG Firewall and not the UPN." 
 Regards,