Hi there,
I found a four years entry here in the forums where somebody asked why a member of the protected users group in active directory is not able to login to webadmin of the Sophos XG. This issue seems still to be existing.
The protected users group is a safety measure since WIndows Server 2012 where you can put accounts with higher privileges into. This takes care that there are safer settings regarding AD authentication set for these accounts (for example no NTLM for such users).
We would like to use AD accounts to login as admins to the Sophos, but as long as such users are protected, you receive an error message on the webgui that credentials are wrong. In the domain controller the following error is logged:
"NTLM authentication failed because the account was a member of the Protected User group."
Why is that ? The firewall is configured for NTLM & Kerberos, so Kerberos auth should be possible. I also confirmed that I find "Kerberos authentication initialized successfully with XXX" in the logs.
Does anyone have an idea or tip for us (except creating a dedicated local admin account or a dedicated unprotected admin account for that reason, of course) ?
Thanks and best regards
Juergen Walterscheidt
Added TAGs
[edited by: Erick Jan at 11:42 PM (GMT -7) on 23 May 2024]
