Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 0 subscribers
  • Views 8356 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WS Cluster SSO LDAP Issues

Snowfury

Hi Sophos Community!

Incoming wall of text, you've been warned.

So, before the upgrade to 4.0.2.2 I had a single Web Appliance running AD authentication without any issues.

We've since added a Management Appliance and a Physical WS1100 and configured load balancing.

This works fine when AD authentication is not used. I went to switch on the AD authentication on Friday, and after completing it, every user was prompted to log on to the captive portal, which  shouldn't be happening.

All firewalls are configured correctly as per the online guide, and if I use 'Auto Detect Advanced Settings' the verify works and I can switch on authentication, but the captive portal comes up everytime.

So, i thought I'll not use auto-detect and configure the LDAP Base DN which is where it gets interesting.

This is the LDAP path to the auth account (changed for posting):
CN=AuthAccount,OU=Service Accounts,OU=Users,OU=Office,DC=Domain,DC=Local

This is the LDAP path to where our users are stored
OU=Users,OU=Office,DC=Domain,DC=Local

When I enter the above, verify fails on Testing LDAP

However, if I enter the following into the base DN, it passes the tests but the captive portal appears again:

OU=Office,DC=Domain,DC=Local

It seems then, that the appliance has an issue with the Users OU and I can't figure out why.

The authaccount i'm using is a domain admin and i've given explicit full control permission to the Users OU for that account.

Any thoughts?

I should add - we use the appliance in transparent mode, a linux router points HTTP and HTTPS to the Virtual I on the Management Appliance

:57608


This thread was automatically locked due to age.
  • 0

    Well I've figured it out

    It turns out that these appliances never forget certain elements of previous configurations.

    So my management appliance which was joined to the domain started to generate 'Access is Denied' errors on my DC when i added the existing, domain joined appliance to it via central management.

    To make matters worse, my WS1100 was connected to our old domain which we retired. It did however, try authenticating to the new domain with old domain credentials according to my logs (which is truley bizarre)

    So the lesson I've learned and can share with you all is this:

    Only join the management appliance to the domain. If you have a Web Appliance already domain joined, back up your data, trash it and download a new one, do not put it into central managed mode.

    Once your new one is downloaded and configured with relevant IPs, DO NOT join it to the domain, join it to the management appliance and let that take care of the domain membership.

    Finally, DO NOT add a 'legacy' device to your shiny new set up! I'm trying to get Sophos to Factory Reset the WS1100 now (which is proving to be a challenge, anyone know how to do it? Sophos TEch Support say your reseller does it, my reseller and their Sophos account manager say tech support do it :/)

    Hope this helps

    :57645
Unfiltered HTML