Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Cannot establish NTLM Authentication channel

Lots of posts about this.  Here is an example.

 AD SSO - Cannot establish NTLM authentication channel with xxx 

Seems like the recommendation is to disable AD SSO in all zones.  But what if we want SSO so we can log user web traffic?  

Why might we want to use NTLM?  It is insecure. 

Here's the doc for configuring...
https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/WebAuthentication/AuthenticationADSSO/index.html#set-primary-authentication-method

Sophos does not provide a way to use Kerberos only.



This article describes removing the firewall from AD and re-authenticating the firewall.
https://www.mpca.solutions/wp/knowledgebase/topic/ad-sso-cannot-establish-ntlm-authentication-channel-with-xxx/

But the firewall is not found in AD, although AD Authentication is configured.

In reading the page in the firewall, it's for Authorizing unauthenticated users.  So my question is if the customer is on Active Directory and they have Endpoint installed, do we even need to worry about this?  Can we disable AD SSO without impact since we authenticate with heartbeat?  Will we still receive user info for firewall reporting and the ability to configure rules to allow AD groups to have specific web filtering rules?



Added bit about heartbeat.
[edited by: DavidSain at 3:34 PM (GMT -7) on 14 Oct 2024]
Parents Reply
  • Thank you  . 

    I found that someone set our firewall group this way and it's been that way for longer than I've been with this company.  I've updated the group to remove AD SSO so we don't have to keep getting this error.  I've seen it across all firewalls and have simply ignored it but with customers receiving firewall reports and this error in there repeatedly, I wanted to get too the root of the issue.

    Glad to know that "Client" is what endpoint Heartbeat is using. I thought this would be the Authentication client that I have never implemented in the last 7 years of working with Sophos.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

Children
No Data