This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD authentication

Active Directory SSO: This mode will attempt to authenticate the user who is currently logged in to the computer as the user of the proxy (single sign on). If the currently logged in user is a valid AD user with permission to use the proxy, the authentication should occur with no user interaction. You must have configured Active Directory Single Sign-On (SSO) on the Definitions & Users > Authentication Services > Servers tab. Clients can authenticate with NTLM (or Kerberos if Mac). For some environments additional configuration is required on the endpoint. If you are having problems with SSO in transparent mode, please see the Sophos Knowledge Base.

Note – When defining the Active Directory user group, we highly recommend to add the desired entries to the Active Directory groups box by manually entering the plain Active Directory group or user names instead of the LDAP strings. Example: Instead of an LDAP string CN=ads_group1,CN=Users,DC=example,DC=com, just enter the name ads_group1.

Does everybody do the above ie just use the simple AD name rather than the LDAP?



This thread was automatically locked due to age.
  • Curious.   I have used LDAP syntax for all of my configured groups.   I just went through the wizard to create a new one, and the browse process creates an LDAP-style name.  Never tried using an unqualified name.

    The obvious benefit of using an unqualified name is that the definition does not break if the group object is moved within Active Directory.  So if it works, it is desirable.  Active Directory will ensure that the unqualified name is unique.

  • The article Louis links to was written based on my Configuring HTTP/S proxy access with AD SSO, written years ago.  If using the complete LDAP string now is reliable, I wouldn't know as I always base Backend Groups on the unqualified name.  I hadn't thought of the additional benefit you mention, Doug.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I was playing about with it and yes it does put in the full LDAP reference via the wizard. So, I deleted that part and just used the name and it does work although I don't think I'm in any hurry to change the whole thing.

  • Wasn't aware of that but thanks for pointing to that.

    Best regards

    Alex

    -