Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Synchronized User ID and username with domain name not working

I have my XG configured with AD authentication using SSO client. Everything works - each domain user gets what she/he is supose to get. Now when I try to use Synchronized User Id I cannot get it to work. What I see in authentication log is following:

- for SSO client - user name is sent as "samAcconuntName@domain name" which is properly matched to users imported from domain

- for Synchornized User Id - user name is sent as "samAccountName" and XG cannot find such user so authentication fails

My questions is following:

- can I force XG somehow to match "samAccountName" request to user "samAccountName@domain name"

- is there a way to force heartbeat to include domain name as well in packet

 

Pawel



This thread was automatically locked due to age.
Parents Reply Children
  • Hello LuCar,

    we are sadly confronted with the problem with a customer implementation of Synchronize Security ( Security Heartbeat too of course ) with many thousands of users in whose environment. And for many implementation reasons in this environment does not apply that sAMAccountName must be identical to UPN.

    As I mentioned we already have an open support ticket to this problem, so I can send you a ticket number to your PM.

    Regard

    alda

  • Better ping the Case ID to  

    But can you explain to me in more details those implementation reasons? 

    I am just curious, want to expand my knowledge. 

    __________________________________________________________________________________________________________________

  • Hello LuCar,

    I do not know implementation details for this enviroment. We were asked by a customer to implement the Synchronize Security. And for this reason we can not finish our task. In my opinion the problem is not in the XG but in a Central end-point client. This client will accidentally send the UPN name instead of sAMAccountName if these two user attributes are not identical.

    That's all ...

    Regards

    alda

  • You can simply deactivate Synchronized User ID and use an alternative / Pre V17.5 User Authentication until there is a way to work with this feature for this customer. 

    The Point is, Synchronized User ID is not an Security Feature of the Synchronized Security Story. It is just another approach to simplify the authentication. 

    All "Security Features" of Synchronized Security will work without Synchronized User ID. 

    Here is a command "how to deactivate this feature".

    https://community.sophos.com/kb/en-us/133190

    __________________________________________________________________________________________________________________