Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 45 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 5253 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Heartbeat using wrong username

Jakub Kavka

Hello,

is there any way how to tell Heartbeat function to use AD username format? By default its using "local" username format and every Heartbeat try ends up as failed.

Strange is that some common users like "lunches (obedy)", "office dept" etc. use AD format by default and then Heartbeat successfully logs in.

Another strange thing is altought HB fails to log in, there are no missing HB and all HB are green..

thanks



This thread was automatically locked due to age.
  • 0

    Hi,

    please advise XG version (software) you are running?
    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Heartbeat (on endpoint) does a checkup on the format of your username. It checks, if the SAMAccountname and Domain name differentes from the UPN. If case, it is different, it sends only the SAMAccountname to the Firewall. Then the firewall will match it against all AD Servers. Check your AD and this particular user. You find under Advanced View the SAMAccountname. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    yea, sAMAccountName is really in this format. Now the question is, how to handle this situation. Dont really want to change this variable in AD, it might breake some other service outside of Sophos stuff.

    And why is Hearthbeat green, when almost every user failing to log in with HB?

  • +1 in reply to Jakub Kavka

    Heartbeat is not User Authentication. Heartbeat is "Service of Endpoint is ok". The endpoint is doing his part and send the authentication. The firewall is just not able to authenticate. This is not a reason to change the heartbeat. 

    You can fix this on the firewall. You can create another AD Server on the firewall and using the other Domain name. By doing this approach, the firewall will be able to authenticate with the other domain name, which is likely missing currently. 

    SFOS blocks the creation of another AD server with the same IP. So to have the option to create another AD Server on SFOS with the same IP, create a FQDN Host on the firewall, call it "AD1" and point to the AD Server IP. You can use in Authentication - Server this AD1 and create it with the "other domain name". This should resolve your issue. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    well, this might work, if failing login would be in domain format but as you can see its just plain user.name without domain suffix.

  • 0 in reply to Jakub Kavka

    Because the firewall cannot locate a AD Server to authenticate this user. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    not sure if we fully understand each other. Users should be authenticated by the currently added server (and they are successfully in other services other then HB). Its local domain in format *.*.cz

    problem is that HB using sAMAccountname (which is without domain suffix) and firewall expecting login with domain suffix. This cant be solved by adding another AD server, right?

    Can i somehow config firewall to it would expect sAMAccountname or on the other hand config HB to send some other AD attribute to authenticate?

    Thank you!

  • 0 in reply to Jakub Kavka

    The firewall will forward the SAMAccountname and attach the Domain, you configured on the AD Server to the AD Server. This result in a mismatch and the AD Server will give a denied back (you see this in the logviewer). The Logviewer will not show the entire logging request, but its domain\samaccountname

    __________________________________________________________________________________________________________________

  • 0 in reply to Jakub Kavka

    Hello Jakub,

    please send to me PM and I'll let you know what the problem is. We solved a similar problem more than three years ago and did not solve it. The problem is not on our side, believe me ....

    Regards

    alda

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?