Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Authentication Multi UPN configuration

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Reads instructs on how to configure authentication of multi-UPN.

UPN

In Microsoft Active Directory, a User Principal Name (UPN) is a username and domain in an email address format. In a UPN, the username is followed by a separator "at sign" (@) followed by the active directory's internet domain.

For more reference, kindly see https://soph.so/2u4ivo

UPN suffixes form part of Active Directory (AD) login names. For example, if your login name is administrator@sophoslab.local, the part of the name to the right of the ampersand is known as the UPN suffix (so, in this case, sophoslab.local).

Editor’s Note: If you need a quick primer on what UPN is from a Microsoft perspective, an article about UPN on the Windows Developer Network elaborates: learn.microsoft.com/.../a-userprincipalname

Advertisement

“This attribute contains the UPN, an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this will map to the user email name. The value set for this attribute equals the length of the user’s ID and the domain name.”

Configuration

When you configure a new user account in AD, you’re given the option to select a UPN suffix, which, by default, will be the DNS name for your AD domain. There are situations where selecting UPN suffixes can be useful. If your AD domain name is sophoslab.local, it might be more convenient to assign users a UPN suffix of sophoslab.eu. To make additional UPN suffixes available, add them to AD.

Active Directory

Many customers have UPNs, especially when using hybrid solutions for O365, Azure, or organizational needs.

Open Active Directory. In the user properties, select Account and follow the screenshot for more details.

Sophos Firewall

Go to Network>DNS and enter the names and IPs as the same in the Domain Controller.

Then go to Authentication>Servers

This way, users are authenticated even if they belong to different UPNs but belong to the same Domain Server




Added TAG
[edited by: Erick Jan at 7:25 AM (GMT -7) on 17 Oct 2024]
  • Hi Giuseppe,

    thanks for sharing.

    I wonder about the following steps in order to use the auth. servers for sslvpn-authentication.

    As I understand the approach I would have to add the servers for each upn-domain (we are using two for each upn-domain for redundancy) to the list of authentication servers for e.g. sslvpn-authentication, i.e. in case we are using 4 upn-domains that would be 8 servers.

    Then, trying to authenticate, a user might face the situation that she/he is using upn-domain A that does not match the first 3 pairs of authentication-servers in the list resulting in 6 invalid logins though she/he is using the correct credentials... am I correct? That would result in being locked out from AD in case there is a threshold of <=6 tries...

    Addition: Above I assumed that login with upn is possible... or is this still only possible with the SAMAccountname? In this case the problem would only concern users not correctly logging in and being locked out after their first try...

    Best

    mik

  • Hi Michael, you will have to add all the UPNs used by the users of your infrastructure, in the services add servers, I attach a picture

  • Hi Giuseppe,

    I know - so let's take your example: 2 domains... if you add 2 additonal servers for redundancy purposes, that's 4 of them in total. if you habe 4 domains, that's 8 in total...

    If a user is failing to authenticate (password/MFA typing error) the firewall is trying each authentication server, rght? ==> 8 bad logins => account locked... am I right?

    Additonally: is it only possible to login with the SAMAccountname or also with the UPN?

    Best

    mik

  • If we get an full name like an UPN (Username + Domain) we only try the applicable servers. If someone give only a username without a domain (format domain\ or @domain) Then we are trying all servers. 

    The user would get deactivated in this scenario, that is correct.

    I would anyway highly encourage to switch to a user+domain based authentication method, if applicable - Meaning, advise users also to not simply login as "user" to the firewall. Instead use there email. 

    __________________________________________________________________________________________________________________

  • Hey Lucar Toni,

    thanks, that was exactly the input I needed!

  • I agree with what Luca wrote,

    In an Active Directory domain, each user in the forest is uniquely identified by their account's principal user name, or UPN. The UPN uses Request for Comments (RFC) 822, the Internet standard document that defines the email address format as its naming convention:

    giuseppe@sophoslab.eu

    What's cool about the UPN user account attribute is that you can see where a user fits into your Active Directory forest. For instance, which of the following users is a member of the root domain, and which is a member of a child domain?

    giuseppe@sophoslab.eu

    giuseppe@pippo.sophoslab.eu
    UPNs help you avoid user name collisions in a forest. For example, you might have two Pat Smiths in two different forest domains.
    Windows Server allows you to add a new UPN suffix to your domain. After you ensure your user account's membership in either the Domain Admins or Enterprise Admins groups, open the Active Directory Domains and Trusts Microsoft Management Console (MMC), right-click the root node, and select Properties from the shortcut menu. In the Active Directory Domains and Trusts window, add a new UPN suffix and click Add. I show you the interface in the figure below.
    You can update the User logon name property for your affected domain users, either in the user's Properties sheet in Active Directory Users and Computers, or by using some PowerShell. there are many microsoft guides, alternatively you need to contact an expert in Active Directory.
  • Hello,
    Thanks for this wonderful tutorial. It really helped.
    I did notice a few issues tho with this.

    • Just entering the username without a domain fails.
    • Logins with the username and any of the domains are allowed and doesn’t restrict the users to their assigned domain/UPN.

    What can be done to combat this?
    Thanks.

  • Thank you i really appreciate your opinion on this article :-)

    The guide is designed in a generic way, each infrastructure has different needs and the configuration should be customized, I will answer the first question: it fails because UPN contains name@domain, you could customize it and just take the name and not UPN

    The format used in the sAMAccountName is this: DomainName\AccountUserName. So, if your domain name (NetBIOS) was "sophoslab," you would access your workstation like this: sophoslab\giuseppe.

    This type of access method is also visible today, in Windows 10 and Windows 11 . However, these more modern operating systems are designed with DNS in mind . This is why the preferred method of logging in today is via the "User Principal Name," based on DNS attributes.

    Second question:  it is always Active directory that responds to firewall allows later "permission", in achive directory the user can have different UPNs but it does not depend on Sophos