Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 39954 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD server added and enabled but can't import groups or login with a user?

AdamBlunt

I have added my AD server (2008 R2 running at 2003 Level if that matters) and it tests out fine in the add/edit page, I am using the administrator account so should be able to manage the domain etc.

But the import group page still says "Unable to fetch groups" even when using a base dn of just my domain (dn=ADAMXP12,dn=server,dn=adamxp12,dn=com)

I know most AD setups don't use an actual domain but it was setup that way and has been working fine past 4 years so I don't think its that causing it.

Is there any section in Sophos where I can see the logs for attempted AD logins as I am quite stumped at the moment as to why its not letting any AD users login despite being top priority for firewall and testing fine on the server edit page.



This thread was automatically locked due to age.
Parents
  • 0

    Adam,

    Did you install stas agent in DC?

    In XG, integration with AD has changed.

    Follow this guide

    Luk

  • 0 in reply to lferrara

    Got the STAS suite installed and configured it per the guide but the service wont start saying 'login failure'

    This is running on the DC and i tried doing (domain)\administrator and .\administrator and it complained in both scenarios.

    Any ideas on how to proceed?

  • 0 in reply to AdamBlunt

    Did you try "Administrator" only?

    Otherwise go to windows services, search for Sophos and change the startup credential configuration to "Local Service" and start the service.


    Launch the Sophos STAS again.

    Luk

  • 0 in reply to lferrara

    I did try more than one user but Sophos XG can seem to login as if I put wrong password in the edit page and click the test button it fails, but if I put the right details in then it will succeed.

    Changing the startup user for the service allowed it to start, but still Sophos can not import groups or even have users login through the user portal.

    I have actually spun up a test VM and made a new AD forest just in case it was something on my current domain but still no luck, I have even tried turning off the firewall on the server to see if maybe requests were being blocked.

    but again just keep getting the same error screen when importing groups

    http://prntscr.com/ac0ksv

    So here is my brief understanding

    Sophos itself can login both with an administrator account or a user account in the test screen.
    So you would think Sophos can communicate with the server outside of that screen like on the user portal.
    But as I am experiencing neither importing groups or having users login is working so far.

    Not really understanding why it's not working for me.

    I see others on the forums have it working and I followed both guides fully so I am not sure whats wrong at the moment.

  • 0 in reply to AdamBlunt

    Inside Base DN, put a OU where Groups exist. For example, CN=Users,DC=DUCK,DC=local

    Luk

  • 0 in reply to lferrara

    Ok I did some investigating, I cleared my log file for security on my test domain DC and then tried to login as a "user" in the user portal

    and it seems to login but gives an error about explicit credentials then logs in fine then immediately logs out again and I get a login failed error on the user portal

    http://prntscr.com/ac0svb
    http://prntscr.com/ac0tci
    http://prntscr.com/ac0tkh
    http://prntscr.com/ac0tpx

    These are in order of them happening top to bottom.

    In theory the domain connection is there and working, just Sophos is not actually logging the user in or creating the new user.

    Same thing happens when trying to import groups, except it does a special login to I assume grant access to the domain structure?

    http://prntscr.com/ac0w3l
    http://prntscr.com/ac0w91
    http://prntscr.com/ac0wlc
    http://prntscr.com/ac0wt9
    http://prntscr.com/ac0x1u
    http://prntscr.com/ac0xbl

    But it still gives me a error about failing to import groups

    So again I am still stumped, it is all pointing towards it working perfectly but for some unknown reason it just gives up at the end of logging in and  so I don't think its a DC issue, seems more like a Sophos issue to me as there no errors in the security event log and it seems to login just fine and dandy according to the DC.

Reply Children
No Data
Unfiltered HTML