SamAccount vs UPN - Heartbeat authentication

As far as i know, it is already in the pipeline to open the possibilities in those scenarios. 

I asked couple of my peers / partners and here in the community but nobody could explain me the reason for this AD setup.

You are referring to O365 setups with this setup.

Can you explain this in more detail?

UPN is most likely something like surname.name@domain.com 

SAMAccountname should be domain\surname.name 

So basically the same "attributes" in AD. 

Most likely i could observe this issue in setups, which grew over the past and renamed their accounts from "name" to surname.name. 

So they had user with domain\name and this company grew so they had to change this user to surname.name@domain.com 

HI LuCar,

The scenario:

a user in our company has as UPN name.surname@domain.com and as SamAccount "first letter of the name+surname@domain.local", e.g. for my user riccardo.morandotti@domain.it and rmorandotti@domain.local.
We had to change UPN in order to user MS Adsync with O365 but we left unthouch the SAMAccount becuase it also use on some of our legacy application on AS400...

Issue

Sophos client send the UPN as string for authentication, the XG receive this value as string for authentication but r the XG ask to the AD for the SAMAccount value... so in my case are created 2 users on the firewall:

-rmorandotti@domain.local

-riccardo.morandotti

And obviously the first one have all the rules linked and groups instead the second has nothing..

SOPHOS Possibile Solution

Allow to customize the client to send SAMAccount or UPN.. becuase as said it's really strange to send UPN when you know that your XG use the SAMAccount value to authenticate on AD... so the constraint that SAMAcocunt and UPN should be the same is due to the "esotic" implementation on the client side..

I hope now it's more clear, I already inform my sales man in Sophos and the support because I think it was important to know the exsistence of this topic

thanks
Riccardo

Has this changed recently??  Reason i ask is ive always used an AzureAD joined pc which was authenticating via XG via Jumpcloud RADIUS server via AzureAD.  But for some reason my the heartbeat authentication username has recently changed from forname.surname to fornamesurname and this has meant XG LDAP Auth is now failing??

I did some reading and apparently AzureAD doesnt use samaccountnames, it is supposed to use the Aliases set on the AzureAD user instead.  

Anyway i too hope that Sophos can incorporate UPN authentication for heartbeat as im struggling to get my XG running correctly since recently.

I may contact JumpCloud to see how Sam names are set on the LDAP users there as my XG is using JumpCloud as a middle man to AzureAD until XG can support AzureAD itself?

But if anyone knows of a way to change an AzureAD username from AzureAD\fornamesurename to AzureAD\forname.surname id appreciate the advice as that small "." is whats causing my XG's Heartbeat LDAP auth to fail now.

Thanks

Hello Riccardo, 

this is a confirmed bug that should be corrected in a new version of the end-point client which release is scheduled to this month / early next month (April / May 2019) ...

Regards

alda

cant wait, wasnt sure where the problem lied XG or Central Endpoint?  So its a bug in Central Endpoint then?

Thanks

Thanks for the idea Riccardo, creating a 2nd user on my XG has fixed my Heartbeat auth for now.

Hello John,

by Sophos is the problem in the authorization engine in the Central end-point client.

Ragards

alda

Was that a question or comment?

Thanks

But does seem correct seeing as its the Endpoint agent picking up the currently logged in user? Ive only added a 2nd user on my XG to match the username from heartbeat auth logs, now my Syncronized user id is working again on XG as i wanted??  If the UPN was what was being picked up im sure i can go back to 1 user on XG that matches my LDAP directory users UPN?  But for now if its picking up the sam name this 2nd user should still work for my needs.  Ive still got a question as to what XG is looking for on LDAP though as my LDAP user still doesnt match the sam account name??

Ok so it is using the samaccountname from XG to LDAP, it was the custom attribute i added to my LDAP directory user samaccountname = fornamesurname.

Hello John,

it was the comment. The problem arises, as I have already mentioned (and how Sophos escalation team confirmed) in the Sophos Central end-point client. If the sAMAccountName and the UPN is not the same an Sophos Central end-point client sent to XG firewall by mistake the UPN name (though its should send the sAMAccountName), XG firewall it evaluates this as an authorization error and declares authorization as invalid. 

Workaround is very simple, unite temporarily the sAMAccountName and the UPN name. This is a tried and recommended solution until a new one is released.

Regards

alda

Hi

Now we are into June has this fix been released, do it have a version number so I can tell if I have it?

Thanks