Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to login to user portal with Active Directory user?

dswartz

So I set up an Active Directory backend group.  The test function authenticates just fine, but when I try to login with such a user in the user portal, it fails with 'Invalid username/password, or access denied by policy'.  I've tried to follow the HOWTO by balfson, but no luck.  Not sure where to proceed :(



This thread was automatically locked due to age.
  • 0

    Is the user in a group that requires OTP for login?

    If so, it must be configured first.  Once configured, the OTP code must be appended to any login.

    • 0 in reply to DouglasFoster

      Not that I am aware of.  This is redundant windows server 2012R2 AD DCs.  Already using them for IMAP and SASL authentication for a couple of years now.  I manage the DCs myself, so I am able to look at the logs, if I had any idea what is wrong (and nothing obvious is.)  I have a "Backend Users" group using AD (which as I said, tests okay.)  If I try logging in to the portal, I can see several 'Audit Success' log entries, yet the login fails, so I'm guessing the "VPN Users" group's users on the DCs are missing something that Sophos UTM expects.  BTW, this is the latest and greatest software build (just installed this a couple of days ago.)

      • 0 in reply to dswartz

        On the user portal configuration, you need to specify the groups that are allowed to use the portal.  Could this be the missing step?

        • 0 in reply to DouglasFoster

          Unfortunately, no.  I've tried with 'all users' checked and unchecked (in the latter case, I dragged the 'Backend Users' group to the DND pane...)  I *do* see various audit entries being made in the 2012 hosts's security log, but they are all 'success' entries.  It seems almost like whatever is being sent back by AD is being rejected by Sophos.  As an experiment to test that theory, I tried logging in as an AD user with a deliberately bad password and see this:

          Log Name:      Security
          Source:        Microsoft-Windows-Security-Auditing
          Date:          1/22/2019 2:32:36 PM
          Event ID:      4625
          Task Category: Logon
          Level:         Information
          Keywords:      Audit Failure
          User:          N/A
          Computer:      bdc.druber.com
          Description:
          An account failed to log on.

          Subject:
              Security ID:        SYSTEM
              Account Name:        BDC$
              Account Domain:        DRUBER
              Logon ID:        0x3E7

          Logon Type:            3

          Account For Which Logon Failed:
              Security ID:        NULL SID
              Account Name:        dswartz
              Account Domain:        DRUBER

          Failure Information:
              Failure Reason:        Unknown user name or bad password. <=============== this was the login attempt with bogus password!
              Status:            0xC000006D
              Sub Status:        0xC000006A

          Process Information:
              Caller Process ID:    0x1cc
              Caller Process Name:    C:\Windows\System32\lsass.exe

          Network Information:
              Workstation Name:    BDC
              Source Network Address:    10.0.0.74
              Source Port:        52820

          Detailed Authentication Information:
              Logon Process:        Advapi  
              Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
              Transited Services:    -
              Package Name (NTLM only):    -
              Key Length:        0

          This event is generated when a logon request fails. It is generated on the computer where access was attempted.

          The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

          The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

          The Process Information fields indicate which account and process on the system requested the logon.

          The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

          The authentication information fields provide detailed information about this specific logon request.
              - Transited services indicate which intermediate services have participated in this logon request.
              - Package name indicates which sub-protocol was used among the NTLM protocols.
              - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

      • 0

        What do you learn from the following after attempting a failed login?

        grep 'caller="portal"' /var/log/aua.log|tail

        Cheers - Bob

         
        Sophos UTM Community Moderator
        Sophos Certified Architect - UTM
        Sophos Certified Engineer - XG
        Gold Solution Partner since 2005
        MediaSoft, Inc. USA
        • 0 in reply to BAlfson

          NB: I have two radius servers (the two DCs) and an AD server (one of the DCs).  The two radius servers in sophos are disabled for this test.  So I have this:

          2019:01:23-16:12:19 gateway aua[32464]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.0.0.13 (adirectory)"
          2019:01:23-16:12:19 gateway aua[32464]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.7 (radius) is disabled"
          2019:01:23-16:12:19 gateway aua[32464]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.13 (radius) is disabled"
          2019:01:23-16:12:19 gateway aua[32464]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="10.0.0.122" host="" user="dswartz" caller="portal" reason="DENIED"

          I just checked the DC's security log, and there are 'audit success' not failure entries.  I am experimenting right now, so the sophos VM WAN is actually on my LAN, and its LAN interface is on another subnet.  So when it tries to talk to radius or AD on the DC, it goes out the WAN.  I can't imagine that's at fault, as the DC *is* seeing requests.  Are there any other log entries you would like?

          • 0 in reply to dswartz

            Oh, and 10.0.0.122 is my windows 10 workstation that I am trying to connect to the portal with...

            • 0 in reply to dswartz

              I think also this is not specific to AD.  If I disable 'adirectory' and enable either of the radius servers, I get the exact same failure.  Same log snippet here:

              2019:01:23-16:20:00 gateway aua[652]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.13 (adirectory) is disabled"
              2019:01:23-16:20:00 gateway aua[652]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.7 (radius) is disabled"
              2019:01:23-16:20:00 gateway aua[652]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.0.0.13 (radius)"
              2019:01:23-16:20:00 gateway aua[652]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="10.0.0.122" host="" user="dswartz" caller="portal" reason="DENIED"

              • 0 in reply to dswartz

                The UTM log is saying that your AD server has denied authentication.  Unless this is a new bug in V9.6, this has to be an issue with the DC and/or the password and/or the Backend Group and/or the Security Group in AD.

                Cheers - Bob

                 
                Sophos UTM Community Moderator
                Sophos Certified Architect - UTM
                Sophos Certified Engineer - XG
                Gold Solution Partner since 2005
                MediaSoft, Inc. USA
                • 0 in reply to BAlfson

                  That's what I thought, but then why does it print an audit failure in the AD log when i enter an explicitly wrong password?  Also, I just retried the authentication test in the 'adirectory' screen and it worked, and I see this:

                  2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Authentication test request: m:adirectory, f:none, u:dswartz, ip:0.0.0.0, host:"
                  2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Testing method adirectory"
                  2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.0.0.13 (adirectory)"
                  2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Authentication test successfull"

                   

                   

                   

                  • 0 in reply to BAlfson

                    I wonder if the portal is passing something I don't expect?  I am using the exact same name and password in the portal as in the authentication test, and the former fails, but the latter works.  And if the problem was on the AD end, I would expect to see an audit failure message (as I do in fact see if I enter a wrong password.)  Is there a way to turn up verbosity/debugging to see what the portal is doing?  Thanks!

                    • 0 in reply to dswartz

                      Just as another data point: I created an L2TP server on the sophos VM, specifying the same radius server with the same credentials.  It connects just fine, so it's something the portal is doing or not doing.

                      • 0 in reply to dswartz

                        Aha, success! (sort of).  I had been unable to get radius working from the portal either.  Perusing of the failure log on the DC, the portal is passing an authentication type of PAP, which is insecure, so disallowed by default.  As an experiment, I enabled the insecure protocols, and now, I can get to the User Portal.  I obviously don't want this as a 'real solution', so I think I have to have two NPS policies on the DC: one secure one for however authenticate for an SSL VPN, and one that allows PAP, but only from the portal.  Active Directory is still not working, but I think I have to declare victory and move on (although I'd love to know what the problem is...)

                        • 0 in reply to dswartz

                          A.D. integration works well.  You should open a support case.

                          • 0 in reply to DouglasFoster

                            A few more possibilities:

                            • Based on other reports, rebooting UTM sometimes makes weird problems disappear.
                            • Taking UTM out of AD (by rejoining it with an invalid login), deleting the object, and then rejoining AD will also fix some weirdness.   Do not remember if you have already done that.
                            • Check whether there is a time synchronization problem.   UTM should connect to the PDC Emulator and get time from that machine as well.
                            • 0 in reply to DouglasFoster

                              Well, I'm stumped.  I hadn't joined the UTM to the domain with single sign-on - didn't think that was a requirement.  I have this in my two AD server configs:

                               

                              BIND DN: CN=Administrator,CN=users,DC=druber,DC=com

                              BASE DN: CN=users,DC=druber,DC=com

                               

                              Test server settings and authenticate example user both work.  The portal doesn't.  When I click on limit users when defining the active directory group, it shows me as list of the normal users, which I can drag to the lower pane, and it looks okay.  My entry:

                              CN=Dan Swartzendruber,CN=Users,DC=druber,DC=com

                               

                              In the above case, samAccountName is 'dswartz'.  This is what I tested authentication with for both AD servers, and it works.  Is this maybe not what should be going in the user portal username box?