This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SamAccount vs UPN - Heartbeat authentication

Dears,

we figured out that Sophos authenticator via Heartbeat does not support an enviroment in which SamAccount name is different from UPN, here the quotation from Sophos KB: "UPN must be identical to sAMAccountName to make the login successful as the sAMAccountName is used by the XG Firewall and not the UPN."
In an enviroment in which is used Office 365 normally the UPN is different from SamAcocunt name and it is quite a standard de facto.
In our case after the update I had a lot of wrong users created automatically based on UPN (name.surname.. no domain) and no rules anymore working..obviously we figured it out and fixed it in a short time... Did anybody else have this problem and found a way to manage it?

@Sophos: please consider this scenario and to give more flexibility to the firewall when managed users in Active Directory (e.g. choose if use SAMaccount anme or UPN to create a users..)

Thanks

Riccardo

This thread was automatically locked due to age.

Parents

0 alda over 6 years ago

Hello Riccardo,

this is a confirmed bug that should be corrected in a new version of the end-point client which release is scheduled to this month / early next month (April / May 2019) ...

Regards

alda
Cancel
Vote Up 0 Vote Down

Cancel
0 john_kenny over 6 years ago in reply to alda

cant wait, wasnt sure where the problem lied XG or Central Endpoint? So its a bug in Central Endpoint then?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 alda over 6 years ago in reply to john_kenny

Hello John,

by Sophos is the problem in the authorization engine in the Central end-point client.

Ragards

alda
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 alda over 6 years ago in reply to john_kenny

Hello John,

by Sophos is the problem in the authorization engine in the Central end-point client.

Ragards

alda
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 john_kenny over 6 years ago in reply to alda

Was that a question or comment?

Thanks

But does seem correct seeing as its the Endpoint agent picking up the currently logged in user? Ive only added a 2nd user on my XG to match the username from heartbeat auth logs, now my Syncronized user id is working again on XG as i wanted?? If the UPN was what was being picked up im sure i can go back to 1 user on XG that matches my LDAP directory users UPN? But for now if its picking up the sam name this 2nd user should still work for my needs. Ive still got a question as to what XG is looking for on LDAP though as my LDAP user still doesnt match the sam account name??

Ok so it is using the samaccountname from XG to LDAP, it was the custom attribute i added to my LDAP directory user samaccountname = fornamesurname.
Cancel
Vote Up 0 Vote Down

Cancel
0 alda over 6 years ago in reply to john_kenny

Hello John,

it was the comment. The problem arises, as I have already mentioned (and how Sophos escalation team confirmed) in the Sophos Central end-point client. If the sAMAccountName and the UPN is not the same an Sophos Central end-point client sent to XG firewall by mistake the UPN name (though its should send the sAMAccountName), XG firewall it evaluates this as an authorization error and declares authorization as invalid.

Workaround is very simple, unite temporarily the sAMAccountName and the UPN name. This is a tried and recommended solution until a new one is released.

Regards

alda
Cancel
Vote Up 0 Vote Down

Cancel
0 LAN2WAN over 6 years ago in reply to alda

Hi

Now we are into June has this fix been released, do it have a version number so I can tell if I have it?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 hcdave over 6 years ago in reply to LAN2WAN

http://downloads.sophos.com/readmes/sesc_core_rneng.html

2.3.0 is still the latest version according to this table.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to hcdave

https://community.sophos.com/products/xg-firewall/f/authentication/109807/synchronized-user-id-and-username-with-domain-name-not-working/406962#406962
Cancel
Vote Up 0 Vote Down

Cancel