Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 30 subscribers
  • Views 6711 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SamAccount vs UPN - Heartbeat authentication

RiccardoMorandotti1

Dears,

we figured out that Sophos authenticator via Heartbeat does not support an enviroment in which SamAccount name is different from UPN, here the quotation from Sophos KB: "UPN must be identical to sAMAccountName to make the login successful as the sAMAccountName is used by the XG Firewall and not the UPN."
In an enviroment in which is used Office 365 normally the UPN is different from SamAcocunt name and it is quite a standard de facto.
In our case after the update I had a lot of wrong users created automatically based on UPN (name.surname.. no domain) and no rules anymore working..obviously we figured it out and fixed it in a short time... Did anybody else have this problem and found a way to manage it?

@Sophos: please consider this scenario and to give more flexibility to the firewall when managed users in Active Directory (e.g. choose if use SAMaccount anme or UPN to create a users..)

Thanks

Riccardo



This thread was automatically locked due to age.
Parents
  • 0

    Hello Riccardo, 

    this is a confirmed bug that should be corrected in a new version of the end-point client which release is scheduled to this month / early next month (April / May 2019) ...

    Regards

    alda

  • 0 in reply to alda

    cant wait, wasnt sure where the problem lied XG or Central Endpoint?  So its a bug in Central Endpoint then?

    Thanks

  • 0 in reply to john_kenny

    Hello John,

    by Sophos is the problem in the authorization engine in the Central end-point client.

    Ragards

    alda

  • 0 in reply to alda

    Was that a question or comment?

    Thanks

    But does seem correct seeing as its the Endpoint agent picking up the currently logged in user? Ive only added a 2nd user on my XG to match the username from heartbeat auth logs, now my Syncronized user id is working again on XG as i wanted??  If the UPN was what was being picked up im sure i can go back to 1 user on XG that matches my LDAP directory users UPN?  But for now if its picking up the sam name this 2nd user should still work for my needs.  Ive still got a question as to what XG is looking for on LDAP though as my LDAP user still doesnt match the sam account name??

    Ok so it is using the samaccountname from XG to LDAP, it was the custom attribute i added to my LDAP directory user samaccountname = fornamesurname.

Reply
  • 0 in reply to alda

    Was that a question or comment?

    Thanks

    But does seem correct seeing as its the Endpoint agent picking up the currently logged in user? Ive only added a 2nd user on my XG to match the username from heartbeat auth logs, now my Syncronized user id is working again on XG as i wanted??  If the UPN was what was being picked up im sure i can go back to 1 user on XG that matches my LDAP directory users UPN?  But for now if its picking up the sam name this 2nd user should still work for my needs.  Ive still got a question as to what XG is looking for on LDAP though as my LDAP user still doesnt match the sam account name??

    Ok so it is using the samaccountname from XG to LDAP, it was the custom attribute i added to my LDAP directory user samaccountname = fornamesurname.

Children