New Domain Join necessary after Firmware Update

Question

Hi together, 
 I have some questions and hope you can help me with this. 
 Configuration : 
 We have an enabled web protection (AD+SSO authentification) at one of our customers Sophos UTM`s. The UTM ist joined into the active directory. 
 Problem : 
 After every single firmware update (since nearly two years) we have to rejoin the UTM to the domain. If we do not, nobody can be authenticated and all users are not able to surf the internet because the web protection is blocking. When I look into the web protection log all username- and domain-fields are empty. 
 Workaround : 
 When I rejoin the UTM into the domain, everything is working fine again. 
 Problem2: 
 The user that I use to rejoin the UTM to the domain gets locked out everytime I am doing a domain join. Nevertheless the domain join is successful. But why is the user account being locked out everytime? 
 
 Maybe someone had this problems before and is able to help me with this!? 
 
 Thank you and best regards, 
 Chris

vilic · Accepted Answer

Create AD account only for that purpose (for example sophosutm). It does not have to be domain admin, just a regular user account. 
 Edit: with workstation domain join priviledges.

vilic · Answer

Changing the password of BIND DN user create problems with AD SSO, that is well known. But, changing the password of the user account who joined UTM to domain also create problems with AD backend sync. UTM saves that password locally, and can even be listed in clear text format (screenshot below). 
 My best practice is to use separate account for UTM/AD integration, with password never expires option enabled. I don't remember that it is officially documented anywhere.

C_hris · Answer

Hey vilic, 
 thanks for your answer. This really was the solution for my problem that I was having for nearly two years now. 
 I just rejoined the utm with a dedicated user account (as you said) and voila....the account is not being locked out after joining. The best thing about this is that even after restarting the utm or the domain controllers I do NOT have to rejoin the utm to the active directory. 
 You definitely deserve a big crate of beer. Thank you so much. 
 This thread is more than solved. :) 
 Best regards, 
 Chris