This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Domain authentication - admin PW with special characters

Good Day everyone!

we have trouble with some XG Firewalls.

All administrator accounts with some specific special charactes like ' arnt working anymore. It happened on Firmware 17.5.2 and is still buggy on 18.0.3. So no new users are able to authenticate.

We tried to retype passwords - test it - all right, when you save it and again go to test it fails. error ist persistent. Even tried to complete delete all domain users, groups and authentication servers - nothing changed.

We also contacted sophos support but till 11.2020 we got no support, even after escalating the ticket. Maybe here some likes to help.



This thread was automatically locked due to age.
Parents
  • What facilities do you try to authenticate? 

    And against which Backend do you authenticate? AD Server? 

    __________________________________________________________________________________________________________________

  • sry, forgot this part.

    authenticate against AD Server. We just want to sync the AD Users and authenticate the AD users, so they can download VPN clients and so on.

  • confirmed this behavior with 3 firewalls. When we use any other user to read / pull against AD it is working. Using the administrator it fails.

  • but no user can be authenticated. when you try to authenticate on the user portal - authentication failed for the users.

  • If you use a admin user without this password to link this to the XG, can a user with this special character can register to user portal? 

    __________________________________________________________________________________________________________________

  • thanks for your fast support and sry for my bad english ...

    tried it - nothing changed. a new user tried to authenticate throught user portal - authentication failed

  • First of all: The account, used on the server page on XG, needs to have a valid password, without your issue, you discovered. 
    In this scenario, everything should work, correct?
    If you use a user against user portal, which has a special password, can this user authenticate in this point? 

    So the issue only occur, if the XG to AD Server connection is not correct, as the authentication is invalid? 

    __________________________________________________________________________________________________________________

  • first - administrator user with special charaters in password - first time typing in at authentication server - test OK, saving it, retesting it - fail.

    now - using another admin user with another username and password - testeing it - ok, saving it and retesting ok - NOW i can import Groups from ad. Trying to authenticate a user without special characters on user portal -> authentication failed.

  • So basically you never can use succesful the authentication of XG, is that what you are saying? 

    __________________________________________________________________________________________________________________

  • this is'nt so clear.

    we use this feature for a long time. But this bug appeared about 2-3 Month ago. Users which worked before this bug can be authenticated. new users can't.

  • Lets recap for a moment, as i am still not able to understand your issue. 

    There are two different fields: 

    Authentication - Server - AD Server -> AD Username (Admin) + Password 1

    "General Authentication" - Any facility (Like User Portal, Webadmin etc.) -> Username + Password 2

    So if Password 1 is invalid (because of a Bug or something), the authentication for password 2 will not work.

    If Password 1 is valid and can be used, password 2 should also work, as we use password 1 to authenticate against the AD. 

    __________________________________________________________________________________________________________________

  • It's a realy messy bug, i know. And sometimes inconsistent...

    Authentication - Server - AD Server -> AD Username (Administrator) + Password 1

    Password1 with some Special Characters

    Test says OK - i save it and then try to import AD Groups - failed, wrong authentication. (3 month ago it worked! Without any changes on adminpw or firewall config!)

    User2 with password2 - can authenticate on userportal or thorugh vpn - he use this for about a year.

    NewUser3 with password3 can't authenticate against the AD by using the userportal of the XG Firewall.

    Now we change Password1 to a password without special characters.

    Test says OK - Groups can be imported - Testing NewUser3 to authenticate - it fails, another try - he can't authenticate, another try - he can authenticate ! another try with this NewUser3 - he can't authenticate.

    now this try:

    Authentication - Server - AD Server -> AD Username (AdminUser) + PasswordX   (So we are not using the Windows Domain standard administrator)

    PasswordX is the same that Password1 was (with special characters) - test says OK - save it, we CAN import groups. Behavior with users to login to userportal - nothing changed. old users can always be authenticated, new users sometimes can, sometimes not.

Reply
  • It's a realy messy bug, i know. And sometimes inconsistent...

    Authentication - Server - AD Server -> AD Username (Administrator) + Password 1

    Password1 with some Special Characters

    Test says OK - i save it and then try to import AD Groups - failed, wrong authentication. (3 month ago it worked! Without any changes on adminpw or firewall config!)

    User2 with password2 - can authenticate on userportal or thorugh vpn - he use this for about a year.

    NewUser3 with password3 can't authenticate against the AD by using the userportal of the XG Firewall.

    Now we change Password1 to a password without special characters.

    Test says OK - Groups can be imported - Testing NewUser3 to authenticate - it fails, another try - he can't authenticate, another try - he can authenticate ! another try with this NewUser3 - he can't authenticate.

    now this try:

    Authentication - Server - AD Server -> AD Username (AdminUser) + PasswordX   (So we are not using the Windows Domain standard administrator)

    PasswordX is the same that Password1 was (with special characters) - test says OK - save it, we CAN import groups. Behavior with users to login to userportal - nothing changed. old users can always be authenticated, new users sometimes can, sometimes not.

Children
No Data