Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Cannot establish NTLM Authentication channel

Lots of posts about this.  Here is an example.

 AD SSO - Cannot establish NTLM authentication channel with xxx 

Seems like the recommendation is to disable AD SSO in all zones.  But what if we want SSO so we can log user web traffic?  

Why might we want to use NTLM?  It is insecure. 

Here's the doc for configuring...
https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/WebAuthentication/AuthenticationADSSO/index.html#set-primary-authentication-method

Sophos does not provide a way to use Kerberos only.



This article describes removing the firewall from AD and re-authenticating the firewall.
https://www.mpca.solutions/wp/knowledgebase/topic/ad-sso-cannot-establish-ntlm-authentication-channel-with-xxx/

But the firewall is not found in AD, although AD Authentication is configured.

In reading the page in the firewall, it's for Authorizing unauthenticated users.  So my question is if the customer is on Active Directory and they have Endpoint installed, do we even need to worry about this?  Can we disable AD SSO without impact since we authenticate with heartbeat?  Will we still receive user info for firewall reporting and the ability to configure rules to allow AD groups to have specific web filtering rules?



Added bit about heartbeat.
[edited by: DavidSain at 3:34 PM (GMT -7) on 14 Oct 2024]
Parents
  • Most of the time, people have this issue, while not wanting Kerberos/NTLM in the first place, so the best way is to disable it by disable SSO for all zones. 

    Just to be sure: You want to use Kerberos on SFOS for Authentication? Could you give us some background, why you choose Kerberos over Heartbeat User ID or STAS? What are you looking forward to do with Kerberos? 

    __________________________________________________________________________________________________________________

  • Please read the last paragraph above...

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • I did, but it is not clear, why you choose Kerberos. 

    __________________________________________________________________________________________________________________

  • This is enabled by default in every firewall. I did not "choose" it.

    From what I gather, AD SSO is unnecessary when using Endpoint with Heartbeat to identify users.  But nowhere in Sophos' documentation do I see this specific statement.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

Reply
  • This is enabled by default in every firewall. I did not "choose" it.

    From what I gather, AD SSO is unnecessary when using Endpoint with Heartbeat to identify users.  But nowhere in Sophos' documentation do I see this specific statement.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

Children