Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 2584 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SG: OTP doesn't work with WAF, OTP with Userportal works well

Peter Leibling

Hello, i configure OTP for protecting Exchange 2016 OWA and ECP. The OTP works for Userportal well (login with Username / Password + PIN).

But, if i open ECP or OWA i get the Logon Screen - now i can not login with Username / Password + PIN, but if i use only Username / Password (WITHOUT PIN!) i can logon.

What is the problem?!? It seem's that the SG doesn't add the PIN for the compare of the Password?!?

 

My configuration (sorry in German, but the Screenshots in English): https://www.leibling.de/owa-und-ecp-mit-sophos-per-2fa-bzw-otp-zusaetzlich-schuetzen/

OTP Based on: https://networkguy.de/?p=996

WAF based on: https://networkguy.de/?p=998 and https://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016/

Sophos SG is Home License, Version 9.601-5, in front of WAN is an Cable Router (Transit Network 192.168.178.0/24, Sophos is Exposed Host).

Are other informations required for help?

 

Thanks a lot for your Help and have a nice Weekend  :).



This thread was automatically locked due to age.
Parents
  • 0

    If PIN is not required, the login may not be coming from UTM.

    You either have an OTP exception (check OTP scope settings(.?, or UTM is already logged in butt Exchange did not get the Basic Authentication autologin.

  • 0 in reply to DouglasFoster

    Hello DouglasFoster, thanks for your fast reply.

    I changed the Authentification to BasicAuth on IIS and reboot the Server.

    Then i open my OWA Address with my Webbrowser - then i get the OTP Loginform. Then i put my Username and Passwort + PIN into the Field and try to logon, but get an Logonerror (From Loginform of the Sophos) - then i check only Username and Password (without PIN!), then i get the OWA Loginform (i'm not direct logged in) and have to Login again.

    Now there are more qeuestions:

    a) After Login via the OTP Login, have i to logon a second time?

    b) What do you mean with OTP Scope, where i can find or configure them?

    c) What is the problem, why it doesn't work with Password + PIN?!?

    Thanks a lot for help :).

Reply
  • 0 in reply to DouglasFoster

    Hello DouglasFoster, thanks for your fast reply.

    I changed the Authentification to BasicAuth on IIS and reboot the Server.

    Then i open my OWA Address with my Webbrowser - then i get the OTP Loginform. Then i put my Username and Passwort + PIN into the Field and try to logon, but get an Logonerror (From Loginform of the Sophos) - then i check only Username and Password (without PIN!), then i get the OWA Loginform (i'm not direct logged in) and have to Login again.

    Now there are more qeuestions:

    a) After Login via the OTP Login, have i to logon a second time?

    b) What do you mean with OTP Scope, where i can find or configure them?

    c) What is the problem, why it doesn't work with Password + PIN?!?

    Thanks a lot for help :).

Children
No Data
Unfiltered HTML