Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 1677 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NTLM and Kerberos troubleshooting

CraigLloyd

I am troubleshooting AD single sign-on with my XG Firewall V18 MR3

I have found this in the help section, please can someone explain what the Firewall Rule mentioned in the Red Box in the screenshot below should consist of?

I have no rules which allow NTLM/Kerberos Traffic, so will need to create one, along with a NAT rule I suspect.

I want my internal Clients to Authenticate with AD SSO, so I imagine this rule mentioned above directs NTLM/Kerberos traffic back to the Domain controllers?

STAS is so flaky I want to try this instead.

Any advice appreciated.

Thanks,

Craig



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Step 3 on the screenshot refers to the user-based firewall rule to authenticate the users with local or external authentication servers like Active Directory, Radius Server, LDAP, TACAS+ & eDirectory. Check out the following KBA for more info: 

    Thanks,

  • 0 in reply to FormerMember

    Hi H_Patel,

    Thanks for the reply.

    So basically if I have User-Based Firewall Rules in place, of which I have many. Step 3 is covered?

    My AD servers are setup, my User-Based rules are in place and already functioning (with STAS Authentication)

    When I turn on AD SSO on the LAN Zone to enable Kerberos Authentication, it doesn't work and I don't get forwarded to the Captive Portal.

    Do I need to turn off STAS to allow the AD SSO to work?

    Do I need to have "Local" selected in the Firewall Authentication Methods - Authentication server List?

    What is the Priority of the different authentication methods? i.e. if multiple authentication methods are turned on what is the order of processing?

    e.g. 1) STAS, 2) Radius, 3) ADD SSO, 4) Captive Portal

    BTW AD authentication is working fine for my admins to log into the XG Admin console, so something must be working.

    Thanks,

    Craig

  • FormerMember
    0 FormerMember in reply to CraigLloyd

    Hi ,

    Thank you for the update. 

    Yes, if the user based rule is in place, step 3 is covered. 

    You have to disable STAS to use Kerberos/NTLM (AD SSO), as STAS comes first in the authentication order, Kerberos/NTLM would not work if STAS is enabled. 

    Following is the order of the authentication methods:

    1. Hotspot
    2. Clientless Users
    3. Sophos Transparent Authentication Suite (STAS)
    4. Sophos Authentication for Terminal Clients (SATC)
    5. Synchronized User Identity
    6. VPN SSO
    7. RADIUS SSO
    8. Kerberos/NTLM (AD SSO)
    9. Chromebook SSO
    10. Authentication Agent
    11. Captive Portal

    You can have the local server selected for the local users and admins, change the authentication server order and move the AD server at the top as the document How to turn on Kerberos authentication.

    Thanks,