This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO or alternate secure authentication with hardend AD

Hello,

Until now we used AD-SSO and it worked. Now we're in the process of hardening our AD and want to disable NTLM as far as possible.

Since the UPM uses NTLMv2 for SSO that's a problem. Of course we can define an exception to still allow NTLMv2 for the UTM but we want to avoid that. And if the UPM looses connection to the AD and needs to be joined again (had happened after some updates in the past) we still have to re-enable NTLMv1 and SMB1 on the DCs for the joining-process as far as i understand. That's alot of work in our environment.

That brings up multiple questions.

1. Is there a way to use AD-SSO without NTLM (Kerberos/Ldaps only)?

2. If not, is it "secure" to use "simple user athentication" instead with ldaps against AD? Background of that question: I don't know how authentication against the proxy works with this setting and it's hard to find information about the details. I'm worried about compromised AD-Accounts by things like extracting/cracking hashes or sniffing clear-text passwords submitted somewhere.

3. What is the most "secure" way to do proxy authentication in your opinion? Local users/groups on the utm? We need to apply different filters to different users on the same machine (Terminal-Server for Internet-Access).

Thanks for reading. Hope you can help me.



This thread was automatically locked due to age.
Parents
  • Hallo DD and welcome to the UTM Community!

    Instead of setting Users' browsers to access the UTM web Proxy by using the IP address of the UTM, use an FQDN to force authentication by Kerberos instead of NTLM.  Does that do what you need?

    In any case, you might be interested in the Configuring HTTP/S proxy access with AD SSO KnowledgeBase article.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hallo DD and welcome to the UTM Community!

    Instead of setting Users' browsers to access the UTM web Proxy by using the IP address of the UTM, use an FQDN to force authentication by Kerberos instead of NTLM.  Does that do what you need?

    In any case, you might be interested in the Configuring HTTP/S proxy access with AD SSO KnowledgeBase article.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Thanks. That way it was configured before we tried to change things. We last joined the UTM in 2008R2-days and after that migrated to server 2016 DCs. No problems arised but now we started logging for NTLM-authentication and even with FQDN as proxy we got NTLM-authentication.

    I then tried to rejoin the UTM to our domain (failed) and this leds to research about how SSO is working and what 's necessary. But info even here in the community forum seems to be oudated or incomplete.

    With your answer now that kerberos should work i got back to the point we started: No way to rejoin the UTM to our domain. Error: "Failed to join domain: failed to lookup DC info for domain 'xy.ourdomain.zz' over rpc: Account restriction" user_name="xy(domain-admin-rights)" domain="xy.ourdomain.zz"

    I already re-enebaled NTLMv1 and SMB1 but without success. Asking myself if this is really still necessary or old info for older versions.

    Also gone though this without finding a problem: support.sophos.com/.../KB-000035211

    Since it seems rpc-related, we currently enforce denial of vulnerable netlogon connections as stated here: support.microsoft.com/.../how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

    Any advice?

  • I'm no Winserver guru.  The only thing you might try is deleting the UTM account in AD before trying to rejoin the domain.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • First thing i tried and other things,too. Maybe someone else can help but i suppose i will end up with a support call.