Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 21744 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Client-based Single Sign-On (SSO) authentication with Active Directory

Mikel Pham

Hi everyone,

i've read the KB 123159 about Sophos XG Firewall: How to Implement Single Sign On Authentication with Active Directory

https://community.sophos.com/kb/en-us/123159

i passed through steps to the last step:

9.Verify if SOPHOS SSO Client has been installed on the user’s machine by:

  • Checking if the Single Sign-On SOPHOS Client folder has been created under  Start > All Programs.
  • Checking the SSO version and Server IP address at HKEY_LOCAL_MACHINE/SOFTWARE/SOPHOS/SSO in the local machine's registry.

Here i cannot see any SSO Sophos Client on Windows Client Machine (Domain Joined) when i login it

On Domain Controller i configured all the requirement from step 1 to step 8

 

Question: So how can i troubleshooting this problem?

Note that: at Step 8 on the Domain Controller, i just use the 3rd option: use SOPHOS Script, the sophos.txt file from the extracted archive; open it in an editor and modify it according to your infrastructure details. Save it as a .bat file and put it in the NETLOGON folder, (Policy for the logon script should be configured by the Domain Admin).

 

Thanks you for your support !



Edited Tags
[edited by: Erick Jan at 2:00 AM (GMT -7) on 16 Sep 2022]
  • 0

    Just curious why you would opt for using an SSO client on each of the PCs instead of using the STAS client on the server itself? Once you have STAS going you have a single thing to worry about instead of X number of clients.

     

    Just a thought..

     

  • 0 in reply to Rogue

    Hi,

    I think sometimes the system administrator doesn't want to install additional software on the Domain Controller, and also Sophos has this feature so i just want to try.

    Anyway thank you for your comment.

    Does anyone else have any idea ?

  • 0 in reply to Mikel Pham

    Dear all,

    Are there anyone have tested this feature of Sophos XG Firewall ?

  • 0 in reply to Mikel Pham

    If you want to find out why its not working in your case, i'd suggest you to double check this part:

    <<<Policy for the logon script should be configured by the Domain Admin>>>

    For testing purpose you could put some 'pause' command in the bat file.

    If the script is run during login of a client, it would clearly hang at the pause command. Thus you can see its called.

    If its not run you either need to configure the bat file as  NETLOGON script in the user configuration details, or even with a group policy. 

  • 0 in reply to dna

    Thank you DNA for your help.

    I will check it and inform you later.

  • +1 in reply to Mikel Pham

    In my opinion the way the installation manual from sophos is not a very good way to deploy the agent.

    I recommend you to use two scripts:

    The first one installs the agent on the computer as part of the computer policy (Not during a logon but at system start). This way you avoid the problem with the administrative credentials (The agent is not installed on a user basis)

    During login you can have another script that runs the configuration utility with the ini OR just adding the configuration data into the registry (Under HKCU\Software\Sophos you find them)... cause that is basicly what the configuration tool does.

    I used sccm to deploy the agent using an application and a compliance policy the applies the configuration to the registry. It works fine except for the matter that is constantly logoffs and back on again... may need to investigate that but that had nothing to do with way of installing.

  • 0 in reply to Weatherlights

    Thanks Weatherlights for your information,

    Actually, i used think that Sophos SSO Client installation is straightforward, just install and run, but it seems that Sophos deploy SSO Client via Logon Script and is not user-friendly.

    So the best way is to install STAS on the Domain Controller.