Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 575 views
  • Users 0 members are here
Options
Suggested

how to enable SFOS authentication with different UPN and SamAccountName

LHerzog

I have learned how to support UPN or multi UPN configuration with local Host / DNS registrations on the Firewall directly. I have configured that successfully on the firewall. Sophos Firewall: Authentication Multi UPN configuration 

But as written in my comments in that Recommended Read, we're having difficulties, as we currently have a SamAccountName (SAM) in our AD like

username (which is username\domain)

Now with migration to O365 we need UPN authentication

name.surname@domain.com

This does not work for firewall authentication. It only works when the SAM is identical the UPN-Part before the @

So we must have: SAM=name.surname and UPN=name.surname@domain.com only then it works.

We need the original SAM so we don't mess up with other internal system logins but we need the additional UPN for O365.

We don't want the users to use different logins for Firewall and Windows / O365.

The current situation is a showstopper.   as author of the article, is it possible that can you help here?



Edited TAGs
[edited by: Erick Jan at 3:32 AM (GMT -8) on 9 Dec 2024]
  • 0

    It depends on the way, you perform the authentication. 

    The endpoint (sync User ID) will notice this issue right away: It will see the difference between UPN and SAMAccountname. Then Endpoint will send those values separate: SAMAccountname + Domain. 

    You have to be mindful about the situation, that you will get new users:
    domain.local\user will be on SFOS: user @domain.local
    user.name@domain.com will be: user.name@domain.com 
    Even if the user is in AD the same, the SAMAccountname could be different. 

    SFOS will use for all Authentication beside Heartbeat always the SAMAccountname and "simply add the domain" of the configured AD Server. 
    For example:
    Samaccountname: user 
    Domain in SFOS configured under Authentication Server: domain.com 
    User on SFOS: user@domain.com

    SFOS is not aware of the UPN, and will not use the UPN. 
    Most customers i know will simply add the new Domain (domain.com) as a new AD Server to the firewall. This will utilize the Authentication - As stated above: It does not matter, what the UPN is for the firewall, as long as the AD Server sends an "Allowed", we will add the Domain Name to the user. 
    For the most authentications or transitions to a different UPN, you will not change this behavior at all: We still use the old authentication. 

    To create the same AD server with another AD Domain:  Sophos Firewall: Create multiple AD Server entities in SFOS for multi domains  

    It highly depend on the way you want to authenticate. User Portal for example can work with Domain or the simple SAMAccountname alone. SFOS here will split up and search: It will use the first part (before the Domain @) and use it against the AD Servers. 

    __________________________________________________________________________________________________________________

  • 0

    Sorry for the delay, it's not easy to help without knowing the infrasructure, however what are the attributes you use? for example:

    in the firewall configuration read UPN or SamAccountName for example

Unfiltered HTML