Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 11331 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAP/keberos for proxy auth - multiple domains

Richard Priest2

Is it possible to configure SFOS to authenticate different users on different domains?

My work has merged with another company. Network wise the two are joined. I've successfully added the 2nd domain server and a test connection is successful. 

If I try to Auth either via the portal or via a Kerberos token I get rejected as an unknown user.

Is this config even possible or am I wasting my time trying to get it to work?

Cheers

Rich



This thread was automatically locked due to age.
Parents
  • +1

    The problematic scenario here is: If there is no trust relationship between both ADs, it will not work, as SFOS (like UTM) can only be joined to one AD realm. You have to build a trust relationship for AD sso. 
    If you want to use another authentication, like Sophos Heartbeat User ID, or STAS, this works fine with multiple AD server. 
    Just the AD SSO component will not work, as the authentication daemon used in SFOS not be able to join Independent AD realms. 

    __________________________________________________________________________________________________________________

Reply
  • +1

    The problematic scenario here is: If there is no trust relationship between both ADs, it will not work, as SFOS (like UTM) can only be joined to one AD realm. You have to build a trust relationship for AD sso. 
    If you want to use another authentication, like Sophos Heartbeat User ID, or STAS, this works fine with multiple AD server. 
    Just the AD SSO component will not work, as the authentication daemon used in SFOS not be able to join Independent AD realms. 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Ahh that makes sense thanks LuCar Toni, we are in the process of adding the domain trust relationship so looks like I'll have to sit tight for that to be completed.

    Really appreciate the response, thank you.

  • 0 in reply to Richard Priest2

    AD SSO is only supported to a single server.  That server then needs to have the appropriate trust relationship to be allowed to authenticate against multiple domains.  Kerberos has some other complex requirements that may or may not be met (Service Principal Name) however NTLM should work.

    Captive Portal will work against multiple servers and I believe STAS does as well.

Unfiltered HTML