This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AD authentication

Active Directory SSO: This mode will attempt to authenticate the user who is currently logged in to the computer as the user of the proxy (single sign on). If the currently logged in user is a valid AD user with permission to use the proxy, the authentication should occur with no user interaction. You must have configured Active Directory Single Sign-On (SSO) on the Definitions & Users > Authentication Services > Servers tab. Clients can authenticate with NTLM (or Kerberos if Mac). For some environments additional configuration is required on the endpoint. If you are having problems with SSO in transparent mode, please see the Sophos Knowledge Base.

Note – When defining the Active Directory user group, we highly recommend to add the desired entries to the Active Directory groups box by manually entering the plain Active Directory group or user names instead of the LDAP strings. Example: Instead of an LDAP string CN=ads_group1,CN=Users,DC=example,DC=com, just enter the name ads_group1.

Does everybody do the above ie just use the simple AD name rather than the LDAP?



This thread was automatically locked due to age.
Parents
  • Curious.   I have used LDAP syntax for all of my configured groups.   I just went through the wizard to create a new one, and the browse process creates an LDAP-style name.  Never tried using an unqualified name.

    The obvious benefit of using an unqualified name is that the definition does not break if the group object is moved within Active Directory.  So if it works, it is desirable.  Active Directory will ensure that the unqualified name is unique.

Reply
  • Curious.   I have used LDAP syntax for all of my configured groups.   I just went through the wizard to create a new one, and the browse process creates an LDAP-style name.  Never tried using an unqualified name.

    The obvious benefit of using an unqualified name is that the definition does not break if the group object is moved within Active Directory.  So if it works, it is desirable.  Active Directory will ensure that the unqualified name is unique.

Children