Authenticate AD Azure in SOPHOS

We did it with enabling LDAPS on azure https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap .

After that you can just add it as a ldap auth server.

We did it with enabling LDAPS on azure https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-configure-secure-ldap .

After that you can just add it as a ldap auth server.

hey jesse,

same problem here. we would likt to sync/authenticate our users (for VPN authentication) via LDAPS directly with azure ad.

If I understand you right, it is no azure VM (Domaincontroller with AD) necessary?

So we need an activated azure plan like P1 and only the certification for ldaps, right?

thanks & regars

phil

We can connect to Azure AD with LDAPs with Anonymous. Bind DN worked as well. If we Chose the authentication with credentials (it doesn‘t work).

Login in the User Portal with an AD User is not possible.

After a call with Sophos technician today they will check if LDAPs via WAN works.

Jess, may be you could give me some more Information how do you realized the Connection with ldaps. Do you use a VPN to the Azure Network.

Regards

Philipp

Hey Kresimir,

 answer from sophos support:

"I got this discussed with my Senior team and I regret to inform but Authentication is not supported on WAN Zone as of now on the XG Firewall.

But as a workaround, you can create an IPSec Tunnel and then use Authentication."

 So you have to create a vnet in azure with azureadomain-service, vm windowsserver (join domain & install ad-tools), gateway & vpn.

Regards

Philipp

Hi all,

We've managed to get this to work properly.

Trick is that you need to properly parse bind and base DNs. Bind DN must be spelled without base DN.

Bind DN user must be in format like this: CN=ldapbind,OU=AADDC users 

Base DN must be in format like this: OU=contoso,OU=com

Hope this will solve your problem.

Best regards,

Kresimir

One side note; To get ldaps auth to work you need to change your password storage in azure to include "Store passwords using reversible encryption", after that setting is changed you have to update your password, and I have seen it takes ~20 minutes for your password change to be reflected in the azure ldap system.  Also you need to have the IdP enabled on the services you would like to use it with, and i have not been able to get groups to work with it, might just by my setup. I'm not spending much time on it as we are moveing to AD in AWS over S2S VPN.

here is a overview of our ldap settings.

Thank you, for your replay and the screenshot. The connection works. I think I have overlooked to change the password for the password hash sync which is recommended.

But now we have the same problem that we are not able to authenticate or see the user/groups of the AD.

May be @Kresmir, do you have a solution? Does that work by you?

Hi,

Users must login to User portal so that their account could be "created" on Sophos XG. After that you can set appropriate permissions to that user account.

Thanks, that works fine!

Is there an option to limit the access by specify an active directory group?

With the above configuration all ad members are allowed to login to the sophos user portal.

Regards

Phil