Cannot establish NTLM Authentication channel

Lots of posts about this. Here is an example.

AD SSO - Cannot establish NTLM authentication channel with xxx

Seems like the recommendation is to disable AD SSO in all zones. But what if we want SSO so we can log user web traffic?

Why might we want to use NTLM? It is insecure.

Here's the doc for configuring...
https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/WebAuthentication/AuthenticationADSSO/index.html#set-primary-authentication-method

Sophos does not provide a way to use Kerberos only.

This article describes removing the firewall from AD and re-authenticating the firewall.
https://www.mpca.solutions/wp/knowledgebase/topic/ad-sso-cannot-establish-ntlm-authentication-channel-with-xxx/

But the firewall is not found in AD, although AD Authentication is configured.

In reading the page in the firewall, it's for Authorizing unauthenticated users. So my question is if the customer is on Active Directory and they have Endpoint installed, do we even need to worry about this? Can we disable AD SSO without impact since we authenticate with heartbeat? Will we still receive user info for firewall reporting and the ability to configure rules to allow AD groups to have specific web filtering rules?

Added bit about heartbeat.
[edited by: DavidSain at 3:34 PM (GMT -7) on 14 Oct 2024]

Top Replies

LuCar Toni 2 hours ago in reply to DavidSain +1 verified

ADSSO is basically Kerberos/NTLM. And it should be disabled per Default: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/DeviceAccessLocalServiceACL…

Parents

0 LuCar Toni 2 hours ago

Most of the time, people have this issue, while not wanting Kerberos/NTLM in the first place, so the best way is to disable it by disable SSO for all zones.

Just to be sure: You want to use Kerberos on SFOS for Authentication? Could you give us some background, why you choose Kerberos over Heartbeat User ID or STAS? What are you looking forward to do with Kerberos?

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 DavidSain 2 hours ago in reply to LuCar Toni

Please read the last paragraph above...

Sophos Firewall Engineer 16.0-20.0
Sophos Firewall Architect 18.0-20.0
Sophos Firewall Technician 18.0-20.0
Sophos Central & Endpoint Architect 3.0-4.0
Sophos Central Email v2.0
Sophos Mobile v9.6
Sophos ZTNA 1.0, 2.0
Synchronized Security Accredited
Sophos Gold Partner
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni 2 hours ago in reply to DavidSain

I did, but it is not clear, why you choose Kerberos.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 DavidSain 2 hours ago in reply to LuCar Toni

This is enabled by default in every firewall. I did not "choose" it.

From what I gather, AD SSO is unnecessary when using Endpoint with Heartbeat to identify users. But nowhere in Sophos' documentation do I see this specific statement.

Sophos Firewall Engineer 16.0-20.0
Sophos Firewall Architect 18.0-20.0
Sophos Firewall Technician 18.0-20.0
Sophos Central & Endpoint Architect 3.0-4.0
Sophos Central Email v2.0
Sophos Mobile v9.6
Sophos ZTNA 1.0, 2.0
Synchronized Security Accredited
Sophos Gold Partner
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 LuCar Toni 2 hours ago in reply to DavidSain

ADSSO is basically Kerberos/NTLM. And it should be disabled per Default: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/DeviceAccessLocalServiceACL/index.html

Maybe someone activated it. But you can safely disable it on all zones.
Heartbeat / STAS is using the "Clients" Option under Device Access.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel

Reply

+1 LuCar Toni 2 hours ago in reply to DavidSain

ADSSO is basically Kerberos/NTLM. And it should be disabled per Default: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/DeviceAccessLocalServiceACL/index.html

Maybe someone activated it. But you can safely disable it on all zones.
Heartbeat / STAS is using the "Clients" Option under Device Access.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel

Children

0 DavidSain 1 hour ago in reply to LuCar Toni

Thank you LuCar Toni .

I found that someone set our firewall group this way and it's been that way for longer than I've been with this company. I've updated the group to remove AD SSO so we don't have to keep getting this error. I've seen it across all firewalls and have simply ignored it but with customers receiving firewall reports and this error in there repeatedly, I wanted to get too the root of the issue.

Glad to know that "Client" is what endpoint Heartbeat is using. I thought this would be the Authentication client that I have never implemented in the last 7 years of working with Sophos.

Sophos Firewall Engineer 16.0-20.0
Sophos Firewall Architect 18.0-20.0
Sophos Firewall Technician 18.0-20.0
Sophos Central & Endpoint Architect 3.0-4.0
Sophos Central Email v2.0
Sophos Mobile v9.6
Sophos ZTNA 1.0, 2.0
Synchronized Security Accredited
Sophos Gold Partner
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel