This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New Domain Join necessary after Firmware Update

Hi together,

I have some questions and hope you can help me with this. 

Configuration:

We have an enabled web protection (AD+SSO authentification) at one of our customers Sophos UTM`s. The UTM ist joined into the active directory.

Problem:

After every single firmware update (since nearly two years) we have to rejoin the UTM to the domain. If we do not, nobody can be authenticated and all users are not able to surf the internet because the web protection is blocking. When I look into the web protection log all username- and domain-fields are empty.

Workaround:

When I rejoin the UTM into the domain, everything is working fine again. 

Problem2:

The user that I use to rejoin the UTM to the domain gets locked out everytime I am doing a domain join. Nevertheless the domain join is successful. But why is the user account being locked out everytime?

Maybe someone had this problems before and is able to help me with this!?

Thank you and best regards,

Chris



This thread was automatically locked due to age.
Parents
  • Use dedicated AD user account for that purpose and configure "Password never expires" attribute along with "User cannot change password".
  • Thanks for the hint. Just had the situation again and rejoined the utm to the active directory with my domain admin. Before rejoining I activated "User cannot change password" and "password never expires" (which was already set before). After rejoining the UTM the account was locked out again and the "User cannot change password" option was deactivated again.

    What do you exactly mean by using a dedicated AD Account?

    Best Regards,

    Chris

Reply
  • Thanks for the hint. Just had the situation again and rejoined the utm to the active directory with my domain admin. Before rejoining I activated "User cannot change password" and "password never expires" (which was already set before). After rejoining the UTM the account was locked out again and the "User cannot change password" option was deactivated again.

    What do you exactly mean by using a dedicated AD Account?

    Best Regards,

    Chris

Children
  • Create AD account only for that purpose (for example sophosutm). It does not have to be domain admin, just a regular user account.

    Edit: with workstation domain join priviledges.

  • Hi vilic,

     

    is that best practise? Never heard of it before.

  • Changing the password of BIND DN user create problems with AD SSO, that is well known. But, changing the password of the user account who joined UTM to domain also create problems with AD backend sync. UTM saves that password locally, and can even be listed in clear text format (screenshot below).

    My best practice is to use separate account for UTM/AD integration, with password never expires option enabled. I don't remember that it is officially documented anywhere.

     

     

     

     

  • That´s very interesting and both statements, are absolutely new to me.

     

     

    vilic said:
    Changing the password of BIND DN user create problems with AD SSO, that is well known.

     

    I had some learning lessions with Sophos support directly, when we introduced SSO with our first customer. They told me, that the SSO (winbindd) has nothing to do with the AD Backend Server. So they say basically for SSO, you don´t need to configure an AD-Backend Server. I also configured the Backend Servers, to be able to test users etc... But up to the sophos support, it is not necessary.

     

    Wouldn´t this something, that should be in the RULZ?

     

    Regards

    Sebastian

  • Unknown said:

    I had some learning lessions with Sophos support directly, when we introduced SSO with our first customer. They told me, that the SSO (winbindd) has nothing to do with the AD Backend Server. So they say basically for SSO, you don´t need to configure an AD-Backend Server. I also configured the Backend Servers, to be able to test users etc... But up to the sophos support, it is not necessary.

    If I remember correctly backend server is not necessary only for Web Filtering module AD authentication.

    Edit: My terminology was wrong, I have equaled authentication with SSO in my previous post....:(
    Anyway the point is the same, use one AD separate account for both purposes and never change its password...;)

  • "Anyway the point is the same, use one AD separate account for both purposes and never change its password"

    Interesting, I've done that for as long as I can remember.  Probably learned it from someone here.  When I made Configuring HTTP/S proxy access with AD SSO, I demonstrated that my dedicated account was bob2, but I failed to mention that it was only used in my WebAdmin configuration.

    Thanks for making this explicit, vilic.  Yes, Sebastian, if vilic uses it, I think we can say it's a best practice! [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey vilic,

    thanks for your answer. This really was the solution for my problem that I was having for nearly two years now. 

    I just rejoined the utm with a dedicated user account (as you said) and voila....the account is not being locked out after joining. The best thing about this is that even after restarting the utm or the domain controllers I do NOT have to rejoin the utm to the active directory. 

    You definitely deserve a big crate of beer. Thank you so much.

    This thread is more than solved. :)

    Best regards,

    Chris