Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 30 subscribers
  • Views 6711 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SamAccount vs UPN - Heartbeat authentication

RiccardoMorandotti1

Dears,

we figured out that Sophos authenticator via Heartbeat does not support an enviroment in which SamAccount name is different from UPN, here the quotation from Sophos KB: "UPN must be identical to sAMAccountName to make the login successful as the sAMAccountName is used by the XG Firewall and not the UPN."
In an enviroment in which is used Office 365 normally the UPN is different from SamAcocunt name and it is quite a standard de facto.
In our case after the update I had a lot of wrong users created automatically based on UPN (name.surname.. no domain) and no rules anymore working..obviously we figured it out and fixed it in a short time... Did anybody else have this problem and found a way to manage it?

@Sophos: please consider this scenario and to give more flexibility to the firewall when managed users in Active Directory (e.g. choose if use SAMaccount anme or UPN to create a users..)

Thanks

Riccardo



This thread was automatically locked due to age.
Parents
  • 0

    Hello Riccardo, 

    this is a confirmed bug that should be corrected in a new version of the end-point client which release is scheduled to this month / early next month (April / May 2019) ...

    Regards

    alda

  • 0 in reply to alda

    cant wait, wasnt sure where the problem lied XG or Central Endpoint?  So its a bug in Central Endpoint then?

    Thanks

  • 0 in reply to john_kenny

    Hello John,

    by Sophos is the problem in the authorization engine in the Central end-point client.

    Ragards

    alda

  • 0 in reply to alda

    Was that a question or comment?

    Thanks

    But does seem correct seeing as its the Endpoint agent picking up the currently logged in user? Ive only added a 2nd user on my XG to match the username from heartbeat auth logs, now my Syncronized user id is working again on XG as i wanted??  If the UPN was what was being picked up im sure i can go back to 1 user on XG that matches my LDAP directory users UPN?  But for now if its picking up the sam name this 2nd user should still work for my needs.  Ive still got a question as to what XG is looking for on LDAP though as my LDAP user still doesnt match the sam account name??

    Ok so it is using the samaccountname from XG to LDAP, it was the custom attribute i added to my LDAP directory user samaccountname = fornamesurname.

  • 0 in reply to john_kenny

    Hello John,

    it was the comment. The problem arises, as I have already mentioned (and how Sophos escalation team confirmed) in the Sophos Central end-point client. If the sAMAccountName and the UPN is not the same an Sophos Central end-point client sent to XG firewall by mistake the UPN name (though its should send the sAMAccountName), XG firewall it evaluates this as an authorization error and declares authorization as invalid. 

    Workaround is very simple, unite temporarily the sAMAccountName and the UPN name. This is a tried and recommended solution until a new one is released.

    Regards

    alda

  • 0 in reply to alda

    Hi

    Now we are into June has this fix been released, do it have a version number so I can tell if I have it?

    Thanks

  • 0 in reply to LAN2WAN

    http://downloads.sophos.com/readmes/sesc_core_rneng.html

     

    2.3.0 is still the latest version according to this table.

Reply Children