This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF reverse AD auth - domain\user turns into domain\\user

Dear Sophos community,
we are currently setting up WAF to work with our Exchange services. Exchange version is 2007 at the moment, we plan to migrate to 2016 next year.

All our Windows Outlook users authenticate with DOMAIN\user, which works fine as long as we don't reverse authenticate with WAF. As soon as WAF handles the authentication, we see a "double \\" in DOMAIN\\user in the log and failed authentications.

We found some approaches to work around this issue, but none of them is what we really want. RADIUS for example is not an option, as we do not have redundant RADIUS servers yet.

We also did find a reference in Mantis to an old issue, that was reportedly fixed in version 9.201. However, we are on version 9.402-7...

Is there any news on that issue? We would prefer to stick to AD authentication and the user format DOMAIN\user if possible.

Thanks and best regards
Sascha



This thread was automatically locked due to age.
Parents
  • Hi,

    the format domain\user is not supported by WAF. This is mentioned in several places like the online help and various KBA articles regarding Microsoft Exchange.

    Either you switch to the format user@domain or you use the prefix option in the Reverse Authentication profile.
    Therefore, please have a look at the online help and the KBA articles.


    Sabine

  • Hi and thanks for you both for your time to reply.

    We know about the various references in the manual and additional ressources about connecting Exchange. However, changing the username to another format is not what we want and still only our "Plan B". Changing the username format would mean a lot more effort for us IT guys and our users to get the user's email to work after activating the reverse authentication.

    If we could stick to the DOMAIN\user format, users would not even notice a change in the way their email clients authenticate.

    As we believe this behaviour must be a bug, we raised a ticket with Sophos yesterday. I'll document further communication with Sophos support here for other people with the same problem.

    Thanks and best regards
    Sascha

  • I have been told that the only authentication method that UTM supports which uses the domain\user method is RADIUS.

    so configuring an RADIUS authentication server and adding a relevant RADIUS group to the allowed users for OWA form should work, I haven't tried myself, however I was told that it wasn't the greatest of things to configure

Reply
  • I have been told that the only authentication method that UTM supports which uses the domain\user method is RADIUS.

    so configuring an RADIUS authentication server and adding a relevant RADIUS group to the allowed users for OWA form should work, I haven't tried myself, however I was told that it wasn't the greatest of things to configure

Children
No Data