Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Authentication Multi UPN configuration

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Reads instructs on how to configure authentication of multi-UPN.

UPN

In Microsoft Active Directory, a User Principal Name (UPN) is a username and domain in an email address format. In a UPN, the username is followed by a separator "at sign" (@) followed by the active directory's internet domain.

For more reference, kindly see https://soph.so/2u4ivo

UPN suffixes form part of Active Directory (AD) login names. For example, if your login name is administrator@sophoslab.local, the part of the name to the right of the ampersand is known as the UPN suffix (so, in this case, sophoslab.local).

Editor’s Note: If you need a quick primer on what UPN is from a Microsoft perspective, an article about UPN on the Windows Developer Network elaborates: learn.microsoft.com/.../a-userprincipalname

Advertisement

“This attribute contains the UPN, an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this will map to the user email name. The value set for this attribute equals the length of the user’s ID and the domain name.”

Configuration

When you configure a new user account in AD, you’re given the option to select a UPN suffix, which, by default, will be the DNS name for your AD domain. There are situations where selecting UPN suffixes can be useful. If your AD domain name is sophoslab.local, it might be more convenient to assign users a UPN suffix of sophoslab.eu. To make additional UPN suffixes available, add them to AD.

Active Directory

Many customers have UPNs, especially when using hybrid solutions for O365, Azure, or organizational needs.

Open Active Directory. In the user properties, select Account and follow the screenshot for more details.

Sophos Firewall

Go to Network>DNS and enter the names and IPs as the same in the Domain Controller.

Then go to Authentication>Servers

This way, users are authenticated even if they belong to different UPNs but belong to the same Domain Server




Added TAG
[edited by: Erick Jan at 7:25 AM (GMT -7) on 17 Oct 2024]
Parents
  • Hello,
    Thanks for this wonderful tutorial. It really helped.
    I did notice a few issues tho with this.

    • Just entering the username without a domain fails.
    • Logins with the username and any of the domains are allowed and doesn’t restrict the users to their assigned domain/UPN.

    What can be done to combat this?
    Thanks.

  • Thank you i really appreciate your opinion on this article :-)

    The guide is designed in a generic way, each infrastructure has different needs and the configuration should be customized, I will answer the first question: it fails because UPN contains name@domain, you could customize it and just take the name and not UPN

    The format used in the sAMAccountName is this: DomainName\AccountUserName. So, if your domain name (NetBIOS) was "sophoslab," you would access your workstation like this: sophoslab\giuseppe.

    This type of access method is also visible today, in Windows 10 and Windows 11 . However, these more modern operating systems are designed with DNS in mind . This is why the preferred method of logging in today is via the "User Principal Name," based on DNS attributes.

    Second question:  it is always Active directory that responds to firewall allows later "permission", in achive directory the user can have different UPNs but it does not depend on Sophos

  • great post.

    So I created a local DNS record on the XGS

    Added the new Server with new domain name and new domain context. Test has a success.

    I was testing this and found out the user is still tried to authenticate using the netbios name. Any idea?

    User authenticates on userportal with my.testuser@newdomainupn.com

    ERROR     Oct 14 11:08:05.189538Z [ADS_AUTH]: (adsauth_handle_authrequest): domain name '' not found
    ERROR     Oct 14 11:08:05.189561Z [ADS_AUTH]: (adsauth_handle_authrequest): domain name '' not found
    ERROR     Oct 14 11:08:05.234956Z [ADS_AUTH]: adsauth_bind: ldap_result failed: Invalid credentials
    ERROR     Oct 14 11:08:05.234976Z [ADS_AUTH]: adsauth_authenticate_user: 'dcname.newdomainupn.com:636': bind failed for User: 'netbiosdomainname\my.testuser'
    ERROR     Oct 14 11:08:05.235004Z [ADS_AUTH]: adsauth_authenticate_user: ADS Authentication Failed for User:'my.testuser@newdomainupn.com'
    ERROR     Oct 14 11:08:05.235167Z [ADS_AUTH]: adsauth_parse_error_msg: ad error no: 1326
    MESSAGE   Oct 14 11:08:05.235189Z [access_server]: (check_auth_result): REJECT2 for user my.testuser@newdomainupn.com (password is wrong)
    ERROR     Oct 14 11:08:05.235199Z [access_server]: check_auth_result: VPN/SSLVPN/MYACC Authentication Failed
    MESSAGE   Oct 14 11:08:05.235261Z [access_server]: (update_admin_access_table): ## Admin user authentication failed from IP 192.193.194

    Also I wonder how you would securely add the Server using LDAPS with certificate validation? Would you add the UPN Domain to the DC certificate? Currently I must uncheck "Validate server certificate" but for testing it's OK.

  • i found out, it works only if samaccountname is equal in ADS with userprincipalname
    In our case samaccountname would always be different.


    DEBUG     Oct 14 14:37:05.297662Z [ADS_AUTH]: (adsauth_handle_authrequest): Domain name not present in request
    DEBUG     Oct 14 14:37:05.297664Z [ADS_AUTH]: (adsauth_handle_authrequest): Extracted domainname 'newdomainupn.com' from username
    DEBUG     Oct 14 14:37:05.297831Z [ADS_AUTH]: insert_escape_sequence: string to process  my.testuser
    DEBUG     Oct 14 14:37:05.297834Z [ADS_AUTH]: insert_escape_sequence: after inserting escape seq my.testuser
    DEBUG     Oct 14 14:37:05.317113Z [ADS_AUTH]: adsauth_bind: asynchronus bind msgid: '1'
    INFO      Oct 14 14:37:05.358945Z [ADS_AUTH]: adsauth_bind: bind succedded for 'netbiosdomainname\my.testuser'
    DEBUG     Oct 14 14:37:05.358962Z [ADS_AUTH]: adsauth_authenticate_user: attr 'sAMAccountName' requested
    DEBUG     Oct 14 14:37:05.358966Z [ADS_AUTH]: adsauth_authenticate_user: attr 'userPrincipalName' requested
    DEBUG     Oct 14 14:37:05.358968Z [ADS_AUTH]: adsauth_authenticate_user: attr 'uid' requested
    DEBUG     Oct 14 14:37:05.358971Z [ADS_AUTH]: adsauth_authenticate_user: attr 'memberOf' requested
    DEBUG     Oct 14 14:37:05.358974Z [ADS_AUTH]: adsauth_authenticate_user: attr 'accountExpires' requested

    Can we workaround that?

  • Which service do you use? Heartbeat Auth? 
    Because, if we find a different SAMAccountname to UPN, we extract both and send it independently. 

    __________________________________________________________________________________________________________________

  • Hi  i would have to understand the context in your infrastructure, in general you could use userprincipalname or sAMAccountName ,are you using AD with updated schema?

    in the user's properties > attribute editor are the two fields filled in?

    when you configured the new server did you try entering sAMAccountName as an attribute instead of userprincipalname?

    it seems that the user authenticates with my.testuser@newdomainupn.com userprincipalname but his sAMAccountName netbiosdomainname \my.testuser is sent

Reply
  • Hi  i would have to understand the context in your infrastructure, in general you could use userprincipalname or sAMAccountName ,are you using AD with updated schema?

    in the user's properties > attribute editor are the two fields filled in?

    when you configured the new server did you try entering sAMAccountName as an attribute instead of userprincipalname?

    it seems that the user authenticates with my.testuser@newdomainupn.com userprincipalname but his sAMAccountName netbiosdomainname \my.testuser is sent

Children
  • I cannot reply here because the text contains information that looks like email address that is blocked by the community backend.

  • Thanks for your quick replies.

    @LuCar Toni my first test was only Userportal because that is the most basic way to test. But mostly our use case is Heartbeat Auth.

    @GiuseppeI  yes, having both in AD attributes for the testuser and Firewall auth only works when I have it this way:
    samaccountname: my.testuser
    userprincipalname:  my.testuser@newdomainupn.com

    it does not work with
    SAM: testusermy
    UPN: my.testuser@newdomainupn.com

    also not  with
    SAM: testusermy
    UPN: mytestuser@newdomainupn.com


    AD schema is: 88 Windows Server 2019

    in the new server I set userprincipalname as Display Name attributen not samaccountname.

  • Heartbeat is different from User Portal. 

    Try heartbeat first in terms of authentication and check, if it works or not. 

    __________________________________________________________________________________________________________________