Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Synchronized User ID and username with domain name not working

I have my XG configured with AD authentication using SSO client. Everything works - each domain user gets what she/he is supose to get. Now when I try to use Synchronized User Id I cannot get it to work. What I see in authentication log is following:

- for SSO client - user name is sent as "samAcconuntName@domain name" which is properly matched to users imported from domain

- for Synchornized User Id - user name is sent as "samAccountName" and XG cannot find such user so authentication fails

My questions is following:

- can I force XG somehow to match "samAccountName" request to user "samAccountName@domain name"

- is there a way to force heartbeat to include domain name as well in packet

 

Pawel



This thread was automatically locked due to age.
Parents
  • After some research and reading access_server logs I found issue. In our AD env we are using multiple UPN prefixes for user authentication. When Endpoint is sending heartbeat message it is using UPN defined in AD account tab. If XG doesn't have this prefix configured under any AD server in field "domain name" request is rejected.

    My only complain is fact that in log viewer, XG is showing that user was received without any domain while actually reading acces server logs You can see which domain was attached to username in heartbeat message.

    Pawel 

  • Yes, exactly. My problem was also caused by this.

  • Hello Michal,

    we have found that sAMAccountName have to be identical to UPN to make the login user successful. We have opened for this case a ticket at the Sophos support. In our opinion, this is an implementation error, because sAMAccountName may not always be identical to UPN name.

    You could check it in your MS AD - User Properties - Attribute Editor ( should be enabled Advanced Features in View submenu).

    Regards

    alda

Reply
  • Hello Michal,

    we have found that sAMAccountName have to be identical to UPN to make the login user successful. We have opened for this case a ticket at the Sophos support. In our opinion, this is an implementation error, because sAMAccountName may not always be identical to UPN name.

    You could check it in your MS AD - User Properties - Attribute Editor ( should be enabled Advanced Features in View submenu).

    Regards

    alda

Children