Lots of posts about this. Here is an example.
AD SSO - Cannot establish NTLM authentication channel with xxx
Seems like the recommendation is to disable AD SSO in all zones. But what if we want SSO so we can log user web traffic?
Why might we want to use NTLM? It is insecure.
Here's the doc for configuring...
https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/WebAuthentication/AuthenticationADSSO/index.html#set-primary-authentication-method
Sophos does not provide a way to use Kerberos only.
This article describes removing the firewall from AD and re-authenticating the firewall.
https://www.mpca.solutions/wp/knowledgebase/topic/ad-sso-cannot-establish-ntlm-authentication-channel-with-xxx/
But the firewall is not found in AD, although AD Authentication is configured.
In reading the page in the firewall, it's for Authorizing unauthenticated users. So my question is if the customer is on Active Directory and they have Endpoint installed, do we even need to worry about this? Can we disable AD SSO without impact since we authenticate with heartbeat? Will we still receive user info for firewall reporting and the ability to configure rules to allow AD groups to have specific web filtering rules?
Added bit about heartbeat.
[edited by: DavidSain at 3:34 PM (GMT -7) on 14 Oct 2024]