This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to login to user portal with Active Directory user?

So I set up an Active Directory backend group.  The test function authenticates just fine, but when I try to login with such a user in the user portal, it fails with 'Invalid username/password, or access denied by policy'.  I've tried to follow the HOWTO by balfson, but no luck.  Not sure where to proceed :(



This thread was automatically locked due to age.
Parents
  • What do you learn from the following after attempting a failed login?

    grep 'caller="portal"' /var/log/aua.log|tail

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • NB: I have two radius servers (the two DCs) and an AD server (one of the DCs).  The two radius servers in sophos are disabled for this test.  So I have this:

    2019:01:23-16:12:19 gateway aua[32464]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.0.0.13 (adirectory)"
    2019:01:23-16:12:19 gateway aua[32464]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.7 (radius) is disabled"
    2019:01:23-16:12:19 gateway aua[32464]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.13 (radius) is disabled"
    2019:01:23-16:12:19 gateway aua[32464]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="10.0.0.122" host="" user="dswartz" caller="portal" reason="DENIED"

    I just checked the DC's security log, and there are 'audit success' not failure entries.  I am experimenting right now, so the sophos VM WAN is actually on my LAN, and its LAN interface is on another subnet.  So when it tries to talk to radius or AD on the DC, it goes out the WAN.  I can't imagine that's at fault, as the DC *is* seeing requests.  Are there any other log entries you would like?

  • Oh, and 10.0.0.122 is my windows 10 workstation that I am trying to connect to the portal with...

  • I think also this is not specific to AD.  If I disable 'adirectory' and enable either of the radius servers, I get the exact same failure.  Same log snippet here:

    2019:01:23-16:20:00 gateway aua[652]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.13 (adirectory) is disabled"
    2019:01:23-16:20:00 gateway aua[652]: id="3006" severity="info" sys="System" sub="auth" name="Server 10.0.0.7 (radius) is disabled"
    2019:01:23-16:20:00 gateway aua[652]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.0.0.13 (radius)"
    2019:01:23-16:20:00 gateway aua[652]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="10.0.0.122" host="" user="dswartz" caller="portal" reason="DENIED"

  • The UTM log is saying that your AD server has denied authentication.  Unless this is a new bug in V9.6, this has to be an issue with the DC and/or the password and/or the Backend Group and/or the Security Group in AD.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That's what I thought, but then why does it print an audit failure in the AD log when i enter an explicitly wrong password?  Also, I just retried the authentication test in the 'adirectory' screen and it worked, and I see this:

    2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Authentication test request: m:adirectory, f:none, u:dswartz, ip:0.0.0.0, host:"
    2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Testing method adirectory"
    2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.0.0.13 (adirectory)"
    2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Authentication test successfull"

     

     

     

Reply
  • That's what I thought, but then why does it print an audit failure in the AD log when i enter an explicitly wrong password?  Also, I just retried the authentication test in the 'adirectory' screen and it worked, and I see this:

    2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Authentication test request: m:adirectory, f:none, u:dswartz, ip:0.0.0.0, host:"
    2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Testing method adirectory"
    2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Trying 10.0.0.13 (adirectory)"
    2019:01:23-16:37:31 gateway aua[2236]: id="3006" severity="info" sys="System" sub="auth" name="Authentication test successfull"

     

     

     

Children
No Data