Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 2 answers
  • Subscribers 6 subscribers
  • Views 7086 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF reverse AD auth - domain\user turns into domain\\user

SaschaBackes

Dear Sophos community,
we are currently setting up WAF to work with our Exchange services. Exchange version is 2007 at the moment, we plan to migrate to 2016 next year.

All our Windows Outlook users authenticate with DOMAIN\user, which works fine as long as we don't reverse authenticate with WAF. As soon as WAF handles the authentication, we see a "double \\" in DOMAIN\\user in the log and failed authentications.

We found some approaches to work around this issue, but none of them is what we really want. RADIUS for example is not an option, as we do not have redundant RADIUS servers yet.

We also did find a reference in Mantis to an old issue, that was reportedly fixed in version 9.201. However, we are on version 9.402-7...

Is there any news on that issue? We would prefer to stick to AD authentication and the user format DOMAIN\user if possible.

Thanks and best regards
Sascha



This thread was automatically locked due to age.
  • 0

    Hello, hope you are well.

    I also see this problem. The help file within UTM 9 says that you can add a prefix or suffix so that if the user just logs in as say "firstname.lastname" then the UTM will add the domain prefix or suffix automatically. The example it describes is with the suffix and that if a user logs in with a suffix the UTM will ignore appending it. I assumed it would be the same with the prefix.

    I don't know how the UTM would handle if you configure both, but would like this to work for my setup as at the moment we will need to educate users on the way to logon.

    Regards,

    Dave

  • 0

    Hi,

    the format domain\user is not supported by WAF. This is mentioned in several places like the online help and various KBA articles regarding Microsoft Exchange.

    Either you switch to the format user@domain or you use the prefix option in the Reverse Authentication profile.
    Therefore, please have a look at the online help and the KBA articles.


    Sabine

  • 0 in reply to Evianne

    Hi and thanks for you both for your time to reply.

    We know about the various references in the manual and additional ressources about connecting Exchange. However, changing the username to another format is not what we want and still only our "Plan B". Changing the username format would mean a lot more effort for us IT guys and our users to get the user's email to work after activating the reverse authentication.

    If we could stick to the DOMAIN\user format, users would not even notice a change in the way their email clients authenticate.

    As we believe this behaviour must be a bug, we raised a ticket with Sophos yesterday. I'll document further communication with Sophos support here for other people with the same problem.

    Thanks and best regards
    Sascha

  • 0 in reply to SaschaBackes

    I have been told that the only authentication method that UTM supports which uses the domain\user method is RADIUS.

    so configuring an RADIUS authentication server and adding a relevant RADIUS group to the allowed users for OWA form should work, I haven't tried myself, however I was told that it wasn't the greatest of things to configure

Unfiltered HTML