I'd like to start off by saying, that the windows SSO client is something that was clearly never finished. The reason, the SSO client will fail to install, has mostly to do with sloppy programming. If, the target computer ALREADY, has a sophos product installed, then the installation will silently fail. After some debugging, I discovered it was silently failing on trying to create the directory "Sophos" under program files (x86). The software itself, is actually relatively simple. The primary file that gets generated, which is generic, is called SSOophos.exe. That file simply looks to the registry for the following:
- HKLM>Software\Sophos\SSO\Authentication Client\Preferences>Reg_Dword-Name=Installed, data=1
- HKLM>Software\Sophos\SSO\Authentication Client\Preferences>Reg_Dword-Name=FirstTime, data=1
- HKCU>SOFTWARE\Sophos\SSO\Authentication Client\Preferences>Reg_SZ-Name=Domain Controller, data=ADS
- HKCU>SOFTWARE\Sophos\SSO\Authentication Client\Preferences>Reg_SZ-Name=Domain Name, data={whatever your domain name is}
- HKCU>SOFTWARE\Sophos\SSO\Authentication Client\Preferences>Reg_SZ-Name=Server, data={IP address of the XG}
The best way to deploy this, is of course via group policy, which means we need an MSI package. I used this: https://www.advancedinstaller.com/
The first challenge is getting your hands on executable. If you loosely follow Sophos's instructions https://community.sophos.com/kb/en-us/123159,
but instead, at step 7, take the downloaded SSO installer files (which you can get from the XG admin> Authentication > Client Downloads, put those files onto a domain joined computer that that DOES NOT already have a sophos directory under program files (x86). Place the files at say: C:\temp\sophossso, then from an elevated command prompt run: c:\temp\sophossso\SophosRun.exe -p c:\temp\sophossso Admin.ini -c "c:\temp\sophossso\SSSophosSetup.exe /VERYSILENT". You should now have C:\Program Files (x86)\Sophos\Sophos Single Sign On Client with 2 executables.
Using advancedInstaller. Start a new project. Under Resources, punch down and create: Program Files > Sophos > Sophos Single Sign On Client: right click and add those 2 files you just created. Next, create the start menu items, again under resources, punch down to Start menu > Programs > Sophos Single Sign On Client. -- Here just grab the shortcut files from your reference computer and stick those here. All the HKCU stuff you will need to implement via Group policy, but you can put the HKLM stuff here (see above). General Stuff: Advanced Installer > Product Details, maybe grab the sophos icon, check the box to register product with windows Installer, disable modify, disable repair. Install Parameters: Package Type: 32-bit, Installation Type: per-machine if user is admin, otherwise per-user, check: limit to basic user interface. Save and Build.
Take the MSI you just built and place it into a network share that is accessible to domain computers. Make sure even the root of the share has share and ntfs permissions for "domain computers". Just need read & execute, list, read.
Create the GPO: In addition to publishing the MSI you just shared, you will need to set HKCU keys I mentioned above (User Config > Preferences > Windows Settings > Registry. Important! You need to make sure this executable starts every time a user logs into their computer, so also create: HKCU> SOFTWARE\Microsoft\Windows\CurrentVersion\Run\, value name: SophosSSO, Value type: Reg_SZ, value data: C:\Program Files (x86)\Sophos\Sophos Single Sign On Client\SSSophos.exe. 2nd Important item to add. Computer Configuration > Policies > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon > enabled. Seems like software installation GPOs just dont work if this is not enabled. Also, BTW, this seems to help with network drives showing "Xed" out as well, so a good thing to set :).
Additional notes: STAS trumps this. If you are using STAS, this wont do anything. I was very happy to disable mine!. Also, if the computer already has a clientless user associated with it, the SSSophos.exe program will terminate immediately with a nasty error in the application event log. The sophos authentication logs will log that SSO failed becuase the user is already logged in as a clientless user. Just a heads up for troubleshooting, this threw me for a bit. The SSSophos.exe will continue to run so that it can notify the firewall when the user logs off or effectively logs off (computer goes to sleep, etc). This is why SSSophos.exe needs to be included in the registry under HKCU...Microsoft...run.
This all sounds pretty painful, I admit, but if you have multiple sites, once you get it working on one site/domain, it is very simple to repeat the installation in group policy as the only variance is the domain name and the IP address of the XG.
BTW, I initially did the MSI work about a year ago using advanced installer, so I am sure I missed something here. There are some good pages you can find with google searches on how to deploy simple applications, which is what I started with.
This thread was automatically locked due to age.
