This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to login to user portal with Active Directory user?

So I set up an Active Directory backend group.  The test function authenticates just fine, but when I try to login with such a user in the user portal, it fails with 'Invalid username/password, or access denied by policy'.  I've tried to follow the HOWTO by balfson, but no luck.  Not sure where to proceed :(



This thread was automatically locked due to age.
Parents
  • Is the user in a group that requires OTP for login?

    If so, it must be configured first.  Once configured, the OTP code must be appended to any login.

  • Not that I am aware of.  This is redundant windows server 2012R2 AD DCs.  Already using them for IMAP and SASL authentication for a couple of years now.  I manage the DCs myself, so I am able to look at the logs, if I had any idea what is wrong (and nothing obvious is.)  I have a "Backend Users" group using AD (which as I said, tests okay.)  If I try logging in to the portal, I can see several 'Audit Success' log entries, yet the login fails, so I'm guessing the "VPN Users" group's users on the DCs are missing something that Sophos UTM expects.  BTW, this is the latest and greatest software build (just installed this a couple of days ago.)

  • On the user portal configuration, you need to specify the groups that are allowed to use the portal.  Could this be the missing step?

  • Unfortunately, no.  I've tried with 'all users' checked and unchecked (in the latter case, I dragged the 'Backend Users' group to the DND pane...)  I *do* see various audit entries being made in the 2012 hosts's security log, but they are all 'success' entries.  It seems almost like whatever is being sent back by AD is being rejected by Sophos.  As an experiment to test that theory, I tried logging in as an AD user with a deliberately bad password and see this:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          1/22/2019 2:32:36 PM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      bdc.druber.com
    Description:
    An account failed to log on.

    Subject:
        Security ID:        SYSTEM
        Account Name:        BDC$
        Account Domain:        DRUBER
        Logon ID:        0x3E7

    Logon Type:            3

    Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        dswartz
        Account Domain:        DRUBER

    Failure Information:
        Failure Reason:        Unknown user name or bad password. <=============== this was the login attempt with bogus password!
        Status:            0xC000006D
        Sub Status:        0xC000006A

    Process Information:
        Caller Process ID:    0x1cc
        Caller Process Name:    C:\Windows\System32\lsass.exe

    Network Information:
        Workstation Name:    BDC
        Source Network Address:    10.0.0.74
        Source Port:        52820

    Detailed Authentication Information:
        Logon Process:        Advapi  
        Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Reply
  • Unfortunately, no.  I've tried with 'all users' checked and unchecked (in the latter case, I dragged the 'Backend Users' group to the DND pane...)  I *do* see various audit entries being made in the 2012 hosts's security log, but they are all 'success' entries.  It seems almost like whatever is being sent back by AD is being rejected by Sophos.  As an experiment to test that theory, I tried logging in as an AD user with a deliberately bad password and see this:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          1/22/2019 2:32:36 PM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      bdc.druber.com
    Description:
    An account failed to log on.

    Subject:
        Security ID:        SYSTEM
        Account Name:        BDC$
        Account Domain:        DRUBER
        Logon ID:        0x3E7

    Logon Type:            3

    Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        dswartz
        Account Domain:        DRUBER

    Failure Information:
        Failure Reason:        Unknown user name or bad password. <=============== this was the login attempt with bogus password!
        Status:            0xC000006D
        Sub Status:        0xC000006A

    Process Information:
        Caller Process ID:    0x1cc
        Caller Process Name:    C:\Windows\System32\lsass.exe

    Network Information:
        Workstation Name:    BDC
        Source Network Address:    10.0.0.74
        Source Port:        52820

    Detailed Authentication Information:
        Logon Process:        Advapi  
        Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Children
No Data