AD SSO

Question

Hello everyone, 
 we are using captive portal currently, but the plan is to use AD SSO instead. The authentication server and service is configured and servers have higher priority in firewall authentication service. AD SSO is selected for LAN zone in device access as well. 
 problem: 
 when a domain-joind user open the browser, a user/pass page appears and they have to reenter their AD login info (page address is https://firewall:8091). As you can see, sso is not working. After entering the domain credentioal, user logs in successfully and the authentication method in log viewer shows AD SSO NTLM. 
 But we need to prevent them from reentering thebcredential. I now SATS is another way to achieve desired result, but we are not going to install anything on DCs and RoDCs

Michael Dunn · Accepted Answer

While LuCar is correct that there is a fix in MR2, it is not related to your issue. Your issue is just one of trust and it is a prerequisite of AD SSO. The Sophos Firewalls asks the client browser to log in (send credentials). The browser says "you are some random website on the internet - I don't trust you enough to send my credentials. I better ask my user." and it does a pop up to the user asking for username and password. The solution is in the browser you need need to trust the website enough to send credentials. Windows (IE, Edge, Chrome). Internet Options. Security. Click on Local Intranet (or Trusted Sites). Click on Sites. Advanced. Add sites to the Zone - add the hostname of the Sophos Firewall. 
 Firefox. about:config. search for network.automatic-ntlm-auth.trusted-uris. Add the hostname. 
 Once confirmed working, an Active Directory GPO can make the setting for all browsers.

LuCar Toni · Answer

https:8091 is an old issue in AD SSO. It is HSTS related. 
 Which version do you use in your SFOS? We implemented one approach to fix this: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html V20.0 MR2 brought a fix for it: 
 
 More transparent AD SSO experience when HSTS is enforced, enabling the Kerberos or NTLM handshake to take place over HTTP or HTTPS.

LuCar Toni · Answer

Try the update to MR3 or V21.0 GA. It should address your issues.

AD SSO

Top Replies