Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 30 subscribers
  • Views 6711 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SamAccount vs UPN - Heartbeat authentication

RiccardoMorandotti1

Dears,

we figured out that Sophos authenticator via Heartbeat does not support an enviroment in which SamAccount name is different from UPN, here the quotation from Sophos KB: "UPN must be identical to sAMAccountName to make the login successful as the sAMAccountName is used by the XG Firewall and not the UPN."
In an enviroment in which is used Office 365 normally the UPN is different from SamAcocunt name and it is quite a standard de facto.
In our case after the update I had a lot of wrong users created automatically based on UPN (name.surname.. no domain) and no rules anymore working..obviously we figured it out and fixed it in a short time... Did anybody else have this problem and found a way to manage it?

@Sophos: please consider this scenario and to give more flexibility to the firewall when managed users in Active Directory (e.g. choose if use SAMaccount anme or UPN to create a users..)

Thanks

Riccardo



This thread was automatically locked due to age.
Parents
  • 0

    As far as i know, it is already in the pipeline to open the possibilities in those scenarios. 

    I asked couple of my peers / partners and here in the community but nobody could explain me the reason for this AD setup.

    You are referring to O365 setups with this setup.

    Can you explain this in more detail?

    UPN is most likely something like surname.name@domain.com 

    SAMAccountname should be domain\surname.name 

    So basically the same "attributes" in AD. 

    Most likely i could observe this issue in setups, which grew over the past and renamed their accounts from "name" to surname.name. 

    So they had user with domain\name and this company grew so they had to change this user to surname.name@domain.com 

  • 0 in reply to LuCar Toni

    HI LuCar,

    The scenario:

    a user in our company has as UPN name.surname@domain.com and as SamAccount "first letter of the name+surname@domain.local", e.g. for my user riccardo.morandotti@domain.it and rmorandotti@domain.local.
    We had to change UPN in order to user MS Adsync with O365 but we left unthouch the SAMAccount becuase it also use on some of our legacy application on AS400...

    Issue

    Sophos client send the UPN as string for authentication, the XG receive this value as string for authentication but r the XG ask to the AD for the SAMAccount value... so in my case are created 2 users on the firewall:

    -rmorandotti@domain.local

    -riccardo.morandotti

    And obviously the first one have all the rules linked and groups instead the second has nothing..

    SOPHOS Possibile Solution

    Allow to customize the client to send SAMAccount or UPN.. becuase as said it's really strange to send UPN when you know that your XG use the SAMAccount value to authenticate on AD... so the constraint that SAMAcocunt and UPN should be the same is due to the "esotic" implementation on the client side..

    I hope now it's more clear, I already inform my sales man in Sophos and the support because I think it was important to know the exsistence of this topic

    thanks
    Riccardo

  • 0 in reply to RiccardoMorandotti1

    Thanks for the idea Riccardo, creating a 2nd user on my XG has fixed my Heartbeat auth for now.

Reply Children
No Data