Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 223 views
  • Users 0 members are here
Options
Suggested

AD SSO

Memorycard

Hello everyone,

we are using captive portal currently, but the plan is to use AD SSO instead. The authentication server and service is configured and servers have higher priority in firewall authentication service. AD SSO is selected for LAN zone in device access as well.

problem:

when a domain-joind user open the browser, a user/pass page appears and they have to reenter their AD login info (page address is https://firewall:8091). As you can see, sso is not working. After entering the domain credentioal, user logs in successfully and the authentication method in log viewer shows AD SSO NTLM.

But we need to prevent them from reentering thebcredential. I now SATS is another way to achieve desired result, but we are not going to install anything on DCs and RoDCs



Edited TAGs
[edited by: Raphael Alganes at 2:14 PM (GMT -8) on 7 Jan 2025]
Parents
  • +1

    While LuCar is correct that there is a fix in MR2, it is not related to your issue.  Your issue is just one of trust and it is a prerequisite of AD SSO.


    The Sophos Firewalls asks the client browser to log in (send credentials).

    The browser says "you are some random website on the internet - I don't trust you enough to send my credentials.  I better ask my user." and it does a pop up to the user asking for username and password.

    The solution is in the browser you need need to trust the website enough to send credentials.

    Windows (IE, Edge, Chrome). Internet Options. Security. Click on Local Intranet (or Trusted Sites). Click on Sites. Advanced. Add sites to the Zone - add the hostname of the Sophos Firewall.

    Firefox. about:config. search for network.automatic-ntlm-auth.trusted-uris. Add the hostname.

    Once confirmed working, an Active Directory GPO can make the setting for all browsers.

Reply
  • +1

    While LuCar is correct that there is a fix in MR2, it is not related to your issue.  Your issue is just one of trust and it is a prerequisite of AD SSO.


    The Sophos Firewalls asks the client browser to log in (send credentials).

    The browser says "you are some random website on the internet - I don't trust you enough to send my credentials.  I better ask my user." and it does a pop up to the user asking for username and password.

    The solution is in the browser you need need to trust the website enough to send credentials.

    Windows (IE, Edge, Chrome). Internet Options. Security. Click on Local Intranet (or Trusted Sites). Click on Sites. Advanced. Add sites to the Zone - add the hostname of the Sophos Firewall.

    Firefox. about:config. search for network.automatic-ntlm-auth.trusted-uris. Add the hostname.

    Once confirmed working, an Active Directory GPO can make the setting for all browsers.

Children
No Data
Unfiltered HTML