Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Synchronized User ID and username with domain name not working

I have my XG configured with AD authentication using SSO client. Everything works - each domain user gets what she/he is supose to get. Now when I try to use Synchronized User Id I cannot get it to work. What I see in authentication log is following:

- for SSO client - user name is sent as "samAcconuntName@domain name" which is properly matched to users imported from domain

- for Synchornized User Id - user name is sent as "samAccountName" and XG cannot find such user so authentication fails

My questions is following:

- can I force XG somehow to match "samAccountName" request to user "samAccountName@domain name"

- is there a way to force heartbeat to include domain name as well in packet

 

Pawel



This thread was automatically locked due to age.
  • Is this reauthentication after 30 minutes normal behavior? Just when this reauthentication happens the username is sent without "@domain" suffix and it fails.

    I don't use any other authentication methods except HB. Just when it stops working I will use WebClient auth to continue working and not restarting the computer.

  • This should not happen. As far as i know and saw in my tests, there were no reauthentication. 

    And even if there were any reauthentication, it should not use any kind of other authentication method. But maybe your Client performs something every 30 Minutes, which i do not have? Do you use sleep / idle / power safe etc...

     

     

    So first of all - all of you should open up a support case, to keep track of your issue. This is important. Maybe there is a bug in the Endpoint version, which i am not aware of. 

    I am not able to help you here in this environment, especially, because authentication will cover sensible data (like passwords etc.). This should not be debugged in a public Community! 

     

    Also this will cause a mess. Nobody can track this issue in a community Thread. So we should be clear about what is going on. 

    Do you have already open up a Case? Did  Track those cases? 

    __________________________________________________________________________________________________________________

  • I opened a case #8499307 few weeks ago, but then, after few exchanged e-mails I stoped receiving any replies from support.

    It doesn't use different authentication method while reauthentication, it just strips the "@domain" from the username.

    The reauthentication after 30 minutes happens on multiple computers with different user accounts while normal work, so the power saver/sleep/idle has nothing to do with this issue

  • Hi  

    Thanks for sharing your case ID with us. I have located it and will follow up accordingly.

    Please don't hesitate to reach out to me via PM if you had any further questions regarding your support case.

    Best,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • After some research and reading access_server logs I found issue. In our AD env we are using multiple UPN prefixes for user authentication. When Endpoint is sending heartbeat message it is using UPN defined in AD account tab. If XG doesn't have this prefix configured under any AD server in field "domain name" request is rejected.

    My only complain is fact that in log viewer, XG is showing that user was received without any domain while actually reading acces server logs You can see which domain was attached to username in heartbeat message.

    Pawel 

  • Yes, exactly. My problem was also caused by this.

  • Hello Michal,

    we have found that sAMAccountName have to be identical to UPN to make the login user successful. We have opened for this case a ticket at the Sophos support. In our opinion, this is an implementation error, because sAMAccountName may not always be identical to UPN name.

    You could check it in your MS AD - User Properties - Attribute Editor ( should be enabled Advanced Features in View submenu).

    Regards

    alda

  • (I am no Windows / AD Guru, so please be careful with this knowledge).

    Already mentioned this early, we are using the SAMAccountname for User ID. XG is checking against the SAMAccountname and looking in AD for it. Not the UPN. 

    https://community.sophos.com/products/xg-firewall/f/authentication/109740/v17-5-user-sync-with-sophos-central-edr-eap-no-users-listed-in-live-users-view#pi2151=1

     

     

    And i saw some special customers with this setup, but nobody could explain to me the reason between different UPN to SAMAccountnames in their AD. There was some kind of surname.name@domain.com as UPN but the SAMAccountname was domain\name, which is pretty unique. Seems like this is some "Historical grown environment". 

    https://serverfault.com/questions/928115/user-principal-name-vs-sam-account-name

    https://docs.microsoft.com/de-de/windows/desktop/AD/naming-properties

     

    __________________________________________________________________________________________________________________

  • Hello LuCar,

    we are sadly confronted with the problem with a customer implementation of Synchronize Security ( Security Heartbeat too of course ) with many thousands of users in whose environment. And for many implementation reasons in this environment does not apply that sAMAccountName must be identical to UPN.

    As I mentioned we already have an open support ticket to this problem, so I can send you a ticket number to your PM.

    Regard

    alda

  • Better ping the Case ID to  

    But can you explain to me in more details those implementation reasons? 

    I am just curious, want to expand my knowledge. 

    __________________________________________________________________________________________________________________