Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

VPN with Authentication Active Directory with enumeration blocked

Hi.

Anyone has configured Sophos XGS SSLVPN with Active Directory Authentication on AD with enumeration blocked?

After configure Server on XGS I can authenticate and retrieve groups/users without problem... My problem appears when try to authenticate user on VPN Portal/User Portal/SSL VPN... By the logs I can see a failure on search with filter sAMAccouname=xxxxxxx and result on user not found.

This is caused by blocked user enumeration on AD.

Is there any way to configure a Sophos to authenticate on AD with this configuration?



Added TAGs
[edited by: Raphael Alganes at 11:47 AM (GMT -8) on 13 Nov 2024]
Parents
  • Hello  

    As per the authentication behavior on Sophos firewall, everytime when user logs in through any mechanism(VPN Portal/User Portal/SSL VPN) , firewall send that request directly to configured AD server using the "ADS user name" 

    Now at AD server, the "ADS user name" will search the "user" within all domain users to identify user attributes(such as group membership etc) so I assume that when you block user enumeration on AD, the "ADS user name" is not able to search the user and hence you are getting "user not found" message.

    so, it seems to be necessary to allow enumeration for at least the user that you are using in "ADS user name" and for rest of the group/OU you can deny the read permissions(user enumeration).

    Considering the above behavior, I have some queries on your below 2 statement, what's the difference between them, who is able to authenticate and who is not able to authenticate? 

    "After configure Server on XGS I can authenticate and retrieve groups/users without problem...
    My problem appears when try to authenticate user on VPN Portal/User Portal/SSL VPN..."

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Hello  

    As per the authentication behavior on Sophos firewall, everytime when user logs in through any mechanism(VPN Portal/User Portal/SSL VPN) , firewall send that request directly to configured AD server using the "ADS user name" 

    Now at AD server, the "ADS user name" will search the "user" within all domain users to identify user attributes(such as group membership etc) so I assume that when you block user enumeration on AD, the "ADS user name" is not able to search the user and hence you are getting "user not found" message.

    so, it seems to be necessary to allow enumeration for at least the user that you are using in "ADS user name" and for rest of the group/OU you can deny the read permissions(user enumeration).

    Considering the above behavior, I have some queries on your below 2 statement, what's the difference between them, who is able to authenticate and who is not able to authenticate? 

    "After configure Server on XGS I can authenticate and retrieve groups/users without problem...
    My problem appears when try to authenticate user on VPN Portal/User Portal/SSL VPN..."

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

Children
  • Hi.

    As per the authentication behavior on Sophos firewall, everytime when user logs in through any mechanism(VPN Portal/User Portal/SSL VPN) , firewall send that request directly to configured AD server using the "ADS user name" 

    No... this is not the behavior at some point!

    ADS user name is at one OU that enumeration is not blocked and it could retrieve every group of that OU (groups used in UTM). But when one user that belongs to one of these groups try to login it can't and in the logs I can see a failure on search with filter sAMAccouname=xxxxxxx and result on user not found.

    This user is at one OU with enumeration blocked.

    Only one OU has enumeration allowed for all users.

    Every other "normal users" are part of OU that have enumeration blocked.

  • To simplify verify this, login to any domain system using "ADS user name" and from there run Get-AdUser query in power shell using filter SAMAccountName.

    If you get the correct response then permissions are proper for "ADS user name" and same should work for firewall as well however if you see any error then you need to further validate the permissions for "ADS user name".

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

  • Hi.

    Thanks for you reply.

    So (tests already done before open this discussion...):

    1. Powershell with user adsusername:   Get-ADUser filter sAMAccountName=uservpn   ->   user IS found 

    2. Powershell with user uservpn:   Get-ADUser filter sAMAccountName=uservpn   ->   user NOT found

    Reason:

    adsusername is located at an OU that enumeration is allowed for all users

    uservpn is located at an OU that has enumeration blocked for a group BLOCKENUMERATION

    adsusername is NOT member of BLOCKENUMERATION

    uservpn IS member of group BLOCKENUMERATION

    uservpn IS member of group VPNUSERS (permited to VPN on Sophos XGS)

    VPN Result: 

    uservpn CAN login to VPNPorta/SSLVPN if NOT member of BLOCKENUMERATION

    uservpn CANNOT login to VPNPortal/SSLVPN if IS member of BLOCKENUMERATION

  • Are adsusername & uservpn part of same OU or different OU?

    Hardik R 
    If a post solves your question use the 'Verify Answer' link.

  • I've wrote this... so it's obvious the answer...

    Reason:

    adsusername is located at an OU that enumeration is allowed for all users

    uservpn is located at an OU that has enumeration blocked for a group BLOCKENUMERATION