Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 841 views
  • Users 0 members are here
Options
Suggested

how to enable SFOS authentication with different UPN and SamAccountName

LHerzog

I have learned how to support UPN or multi UPN configuration with local Host / DNS registrations on the Firewall directly. I have configured that successfully on the firewall. Sophos Firewall: Authentication Multi UPN configuration 

But as written in my comments in that Recommended Read, we're having difficulties, as we currently have a SamAccountName (SAM) in our AD like

username (which is username\domain)

Now with migration to O365 we need UPN authentication

name.surname@domain.com

This does not work for firewall authentication. It only works when the SAM is identical the UPN-Part before the @

So we must have: SAM=name.surname and UPN=name.surname@domain.com only then it works.

We need the original SAM so we don't mess up with other internal system logins but we need the additional UPN for O365.

We don't want the users to use different logins for Firewall and Windows / O365.

The current situation is a showstopper.   as author of the article, is it possible that can you help here?



Edited TAGs
[edited by: Erick Jan at 3:32 AM (GMT -8) on 9 Dec 2024]
Parents
  • 0

    Sorry for the delay, it's not easy to help without knowing the infrasructure, however what are the attributes you use? for example:

    in the firewall configuration read UPN or SamAccountName for example

  • 0 in reply to GiuseppeI

    Thanks for your answers.

    it does not matter what to enter Display name attribute as this is only cosmetics.

    In the end the Firewall does not use UPN when it sends the query to the AD server. It only uses SAM.

    ERROR     Dec 20 17:16:46.278207Z [ADS_AUTH]: adsauth_authenticate_user: 'dc.my.domain:389': bind failed for User: 'my\upn.test'
    ERROR     Dec 20 17:16:46.278210Z [ADS_AUTH]: adsauth_authenticate_user: ADS Authentication Failed for User:'upn.test@my.domain'
    ERROR     Dec 20 17:16:46.278240Z [ADS_AUTH]: adsauth_parse_error_msg: ad error no: 1326
    MESSAGE   Dec 20 17:16:46.278256Z [access_server]: (check_auth_result): REJECT2 for user upn.test@my.domain (password is wrong)
    ERROR     Dec 20 17:16:46.278266Z [access_server]: check_auth_result: VPN/SSLVPN/MYACC Authentication Failed

    I think this can be tested easily with any firewall and AD server. USing plain LDAP makes this very transparent.

    So actually the firewall is not capable of forwarding true UPN authentication to the Auth Server.

    does not work for firewall Auth:
    SAM: username
    UPN: name.surname@my.domain

    only this works for firewall Auth:
    SAM: name.surname
    UPN: name.surname@my.domain

  • 0 in reply to LHerzog

    Is this something not correct in my post above? 

    __________________________________________________________________________________________________________________

Reply Children
No Data
Unfiltered HTML