This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ZTNA agentless user portal login returns HTTP 403

Hi,

I have set up ZTNA and got most of it working so far.

However, when trying to log in via ZTNA user portal, I am being redirected to https://login.microsoftonline.com/ and after entering my credentials, login will work, but the redirect URI back to ZTNA user portal (ZTNA/.../callback will return a http/403.

I can verify the successful login via Azure AD.

The user is part of a security group synced to Sophos Central and is member of the Azure AD enterprise application that is being used for OAuth by ZTNA.

I had to add my ZTNA FQDN as additional Redirect URI in Azure AD application to even get authentication working.

Now I am not certain why ZTNA does return http/403. I am suspecting it does not know the user, but why?

What am I missing?

Thanks!

Kind regards,

cougz

This thread was automatically locked due to age.

Top Replies

Nabil Semsu over 2 years ago +2

Can u check if Gateway has access to https://login.microsoftonline.com/ ?. This error usually happens when the GW does not have access. Your browser may have access, which is why you can access the Microsoft…

Parents

0 Nabil Semsu over 2 years ago

Can u check if Gateway has access to https://login.microsoftonline.com/ ?. This error usually happens when the GW does not have access. Your browser may have access, which is why you can access the Microsoft URL and u can give your creds. but the GW need to directly call this URL to get User Info from the AD.
Cancel
Vote Up +2 Vote Down

Cancel
0 David Sain over 2 years ago in reply to Nabil Semsu

I have the same issue but with client, not clientless.

I'm testing a one-armed deployment in a DMZ zone. There is no web policy applied to the FW rule for ZTNA so I'm not blocking any outbound requests from the gateway.

Is there any way to login to the gateway to check directly from it?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 David Sain over 2 years ago in reply to Nabil Semsu

I have the same issue but with client, not clientless.

I'm testing a one-armed deployment in a DMZ zone. There is no web policy applied to the FW rule for ZTNA so I'm not blocking any outbound requests from the gateway.

Is there any way to login to the gateway to check directly from it?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Tejas Kashyap over 2 years ago in reply to David Sain

Hi David, currently there is no way to login to the ZTNA Gateway console directly. We are working on rolling out a diagnostics feature shortly that would help in troubleshooting connectivity issues from the gateway.
Cancel
Vote Up +1 Vote Down

Cancel