Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 30 subscribers
  • Views 6711 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SamAccount vs UPN - Heartbeat authentication

RiccardoMorandotti1

Dears,

we figured out that Sophos authenticator via Heartbeat does not support an enviroment in which SamAccount name is different from UPN, here the quotation from Sophos KB: "UPN must be identical to sAMAccountName to make the login successful as the sAMAccountName is used by the XG Firewall and not the UPN."
In an enviroment in which is used Office 365 normally the UPN is different from SamAcocunt name and it is quite a standard de facto.
In our case after the update I had a lot of wrong users created automatically based on UPN (name.surname.. no domain) and no rules anymore working..obviously we figured it out and fixed it in a short time... Did anybody else have this problem and found a way to manage it?

@Sophos: please consider this scenario and to give more flexibility to the firewall when managed users in Active Directory (e.g. choose if use SAMaccount anme or UPN to create a users..)

Thanks

Riccardo



This thread was automatically locked due to age.
Parents
  • 0

    As far as i know, it is already in the pipeline to open the possibilities in those scenarios. 

    I asked couple of my peers / partners and here in the community but nobody could explain me the reason for this AD setup.

    You are referring to O365 setups with this setup.

    Can you explain this in more detail?

    UPN is most likely something like surname.name@domain.com 

    SAMAccountname should be domain\surname.name 

    So basically the same "attributes" in AD. 

    Most likely i could observe this issue in setups, which grew over the past and renamed their accounts from "name" to surname.name. 

    So they had user with domain\name and this company grew so they had to change this user to surname.name@domain.com 

Reply
  • 0

    As far as i know, it is already in the pipeline to open the possibilities in those scenarios. 

    I asked couple of my peers / partners and here in the community but nobody could explain me the reason for this AD setup.

    You are referring to O365 setups with this setup.

    Can you explain this in more detail?

    UPN is most likely something like surname.name@domain.com 

    SAMAccountname should be domain\surname.name 

    So basically the same "attributes" in AD. 

    Most likely i could observe this issue in setups, which grew over the past and renamed their accounts from "name" to surname.name. 

    So they had user with domain\name and this company grew so they had to change this user to surname.name@domain.com 

Children
  • 0 in reply to LuCar Toni

    HI LuCar,

    The scenario:

    a user in our company has as UPN name.surname@domain.com and as SamAccount "first letter of the name+surname@domain.local", e.g. for my user riccardo.morandotti@domain.it and rmorandotti@domain.local.
    We had to change UPN in order to user MS Adsync with O365 but we left unthouch the SAMAccount becuase it also use on some of our legacy application on AS400...

    Issue

    Sophos client send the UPN as string for authentication, the XG receive this value as string for authentication but r the XG ask to the AD for the SAMAccount value... so in my case are created 2 users on the firewall:

    -rmorandotti@domain.local

    -riccardo.morandotti

    And obviously the first one have all the rules linked and groups instead the second has nothing..

    SOPHOS Possibile Solution

    Allow to customize the client to send SAMAccount or UPN.. becuase as said it's really strange to send UPN when you know that your XG use the SAMAccount value to authenticate on AD... so the constraint that SAMAcocunt and UPN should be the same is due to the "esotic" implementation on the client side..

    I hope now it's more clear, I already inform my sales man in Sophos and the support because I think it was important to know the exsistence of this topic

    thanks
    Riccardo

  • 0 in reply to LuCar Toni

    Has this changed recently??  Reason i ask is ive always used an AzureAD joined pc which was authenticating via XG via Jumpcloud RADIUS server via AzureAD.  But for some reason my the heartbeat authentication username has recently changed from forname.surname to fornamesurname and this has meant XG LDAP Auth is now failing??

    I did some reading and apparently AzureAD doesnt use samaccountnames, it is supposed to use the Aliases set on the AzureAD user instead.  

    Anyway i too hope that Sophos can incorporate UPN authentication for heartbeat as im struggling to get my XG running correctly since recently.

    I may contact JumpCloud to see how Sam names are set on the LDAP users there as my XG is using JumpCloud as a middle man to AzureAD until XG can support AzureAD itself?

    But if anyone knows of a way to change an AzureAD username from AzureAD\fornamesurename to AzureAD\forname.surname id appreciate the advice as that small "." is whats causing my XG's Heartbeat LDAP auth to fail now.

    Thanks

  • 0 in reply to RiccardoMorandotti1

    Thanks for the idea Riccardo, creating a 2nd user on my XG has fixed my Heartbeat auth for now.