Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Member of Active Directory Protected Users Group: No Webadmin login possible

Hi there,

I found a four years entry here in the forums where somebody asked why a member of the protected users group in active directory is not able to login to webadmin of the Sophos XG. This issue seems still to be existing.

The protected users group is a safety measure since WIndows Server 2012 where you can put accounts with higher privileges into. This takes care that there are safer settings regarding AD authentication set for these accounts (for example no NTLM for such users).

We would like to use AD accounts to login as admins to the Sophos, but as long as such users are protected, you receive an error message on the webgui that credentials are wrong. In the domain controller the following error is logged:

"NTLM authentication failed because the account was a member of the Protected User group."

Why is that ? The firewall is configured for NTLM & Kerberos, so Kerberos auth should be possible. I also confirmed that I find "Kerberos authentication initialized successfully with XXX" in the logs.

Does anyone have an idea or tip for us (except creating a dedicated local admin account or a dedicated unprotected admin account for that reason, of course) ?

Thanks and best regards

Juergen Walterscheidt



This thread was automatically locked due to age.
Parents Reply Children
No Data