Hey Guys
Since I work a lot with AD-Authentication to limit auth to backend groups, I wanted to implement it for another customer running 2xSG450 in Active/Passive HA on Version 9.413-4.
I went through the standard procedure until:
- Adding Authentication Server, type: Active Directory, Bind DN: CN=Sophos, Service,OU=xxx,OU=yyy,DC=domain,DC=com
- Test1: Test server settings = "Server test passed."
- Test2: Authenticate example user = "Authentication test passed.", Group memberships as expected!
- AUA-Log: Perfect -> everything as expected
- Adding "Prefetch Directory Users" Group, hitting "Prefetch now", checking Directory Prefetch Log:
-
user_prefetch[11958]: Connecting to ldap serveruser_prefetch[11958]: ldap server: ldap://10.42.9.40:389user_prefetch[11958]: Bind faileduser_prefetch[11958]: ldap connection faileduser_prefetch[11958]: exiting...
-
- No logging in AUA-Log.
After going insane and wading through blood for several days, I fell back to trial and error. I'll be very short on this -> This is what I found:
If you change the Bind DN against the User Principal Name (UPN): SophosService@domain.com everything runs smoothly. Not only the "Test", also the prefetching of the accounts.
After I work a lot with back end AD group memberships for SSL-VPN-connections, I'm afraid to update my other customers to Version 9.413-4, now.
I'm not really interested in changing the DNs against UPN style, because that is much slower in authentication!
My Question to you guys: Did you recognize that issue in your environments? And if so: Did anybody raise a Ticket or gut any feedback from SOPHOS?
Thanks so much for Feedback!
Cheers
Janbo
This thread was automatically locked due to age.