Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 2356 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Adding authentication to a site

Mateusz Bender

I'm trying to add extra authentication to an internal site via Reverse Authentication. The site itself has no authentication.

The problem is with how the UTM treats our AD-based groups. If I add my user explicitly to the new Reverse Authentication profile - it'll work. But I don't want to explicitly add users - I want to use AD groups.

In our AD we have the following structure of groups:
1) Domain Admins (obviously have a LOT of permissions)
2) Linux Admins (contains Domain Admins, and anyone extra who's supposed to handle one of our Linux servers)
3) Docker Admins (contains Linux Admins, and anyone extra)

Since I'm trying to protect a Docker Repository "UI" site, I've created a new dynamic group in UTM and picked the Docker Admins group. All good, right?

Well... my Domain Admin user cannot log in. The logs only show the following line

2022:11:10-08:55:30 firewall httpd[453]: [authnz_aua:error] [pid 453:tid 1507441520] [client 10.150.4.78:63273] [<username>] AUA responded with 'DENIED'
Testing my admin user in the "Authenticate example user" in the Active Directory entry under Authentication Services -> Servers works fine, but... doesn't list all the groups I'd expect it to list (which is probably the crux of the issue - it doesn't list the Docker Admins group I'd expect it to list).
It seems like UTM can't handle nested AD groups? Or is this something else?


This thread was automatically locked due to age.
  • 0

    The account used to authenticate against AD must have rights to read the group membership of users.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    I've granted the Sophos AD user read-permissions on all AD objects, yet it still cannot accurately determine which groups my AD admin user is a member of.

    Is this requirement documented somewhere? Possibly explicitly specifying which permissions are needed?

  • 0 in reply to Mateusz Bender

    is admin account located within "base-ou"?
    Authentication test should display you the group-membership if possible.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    We keep all of our accounts within a dedicated OU so they don't get messed up with built-in groups and users.

    Sophos does detect a few of the groups my admin account is a member of, but not all of them. Specifically it's still not detecting nested cases, i.e. account is a member of group A, which is a member of group B which in turn is specified as a target group in Sophos.

Unfiltered HTML