Heartbeat using wrong username

Heartbeat (on endpoint) does a checkup on the format of your username. It checks, if the SAMAccountname and Domain name differentes from the UPN. If case, it is different, it sends only the SAMAccountname to the Firewall. Then the firewall will match it against all AD Servers. Check your AD and this particular user. You find under Advanced View the SAMAccountname. 

yea, sAMAccountName is really in this format. Now the question is, how to handle this situation. Dont really want to change this variable in AD, it might breake some other service outside of Sophos stuff.

And why is Hearthbeat green, when almost every user failing to log in with HB?

That is not correct. 

Heartbeat is working perfectly fine with a .local account. 

Hello LuCar Toni,

You are well aware that this is not true and that the implementation of Sophos Heartbeat has major implementation limitations!
I end up discussing in this thread, discussing with you is just a waste of time.

How long will my last post exist before you delete it or block my access to this forum?

Regards

alda

Just to recap. You are mixing two different parts. The limitation is simply a UPN vs SAMAccount name issue. The limitation is not in the heartbeat, instead in the access_server (underlying daemon for authentication). 

This kind of issue comes up on regular basis and most cases get resolved by using two different AD servers. 

Your Issue (alda) is simply the problem about UPN vs SAMAccountname. The firewall matches SAMAccountname vs all AD Servers. If you have multiple users with the same username (user@domain.local and another user: user@customer.com), the firewall will match those users against the first user and will not be able to split them up. As we use SAMaccountname vs the first domain, we can reach. 

The limitation could be lifted by introducing a UPN filter. Which means, the firewall would only query the server, which uses the UPN. But this is not the case and will cause your issue.

But most customers simply have multiple Domains, but the same users. So user@domain.local and user@customer.com is the same user. And the EP will fetch both information, notice the difference between UPN and SAMAccountname, split both information and send them to the firewall. The firewall is looking for user@customer.com, but there is no customer.com configured. Therefore the authentication will fail. 

Hello LuCar Toni,

I wrote that I will no longer communicate in this thread and I will therefore limit myself to simply stating the facts:

- You are intentionally using a twisted scenario that does not match the scenario I have been pointing out from the beginning.
- I could post your own statements in this forum which confirm my statements, including your recommendations on how to work around the problem of poor implementation of Sophos Heartbeat, including your recommendation to rename the internal domain ...
- I could post to this forum all internal communication between me and my colleague and Sophos developers who will again confirm all my claims.

Please don't provoke me. That's exactly all from me in this thread.

Regards

alda

Lets see, if my approach will resolve the issue for the customer. 

First of all, thank you both for spamming my thread :-)

LuCar Toni i dont know, how adding the same AD server would help here. User in this example "vraspir.kamil" is exactly the same user at the same AD server as vraspir.kamil@*.*.cz, but HB as you said using sAMAcount name, which is only "vraspir.kamil" in my case and users created by Endpoint on firewall are in format vraspir.kamil@*.*.cz therefore heartbeats wont get authenticated.

Adding same server with different domain name would help, if these unauthenticated HBs are from some second domain (which i dont have), something like vraspir.kamil@whatever.cz

Maybe i just dont get your suggestion, so please push me in the right direction if thats the case.

Thank you!

Which Domains do you have currently in SFOS created? Could you give us a overview? 

just one, its synchronizing from just one AD server. Also in whole network i have just one domain and its in format *.*.cz

Can you check this particular user in AD? Check the advanced Attributes. 

And:

Can you check this particular user in AD? Check the advanced Attributes. 

And:

second domain is for Azure AD Sync and is not used locally.

The second domain is likely send by the Endpoint. As the user is likely using this one. 

If you create the second Domain name in SFOS as explained earlier, it should work. 

Thats not possible. Second domain is just alternative UPN suffix for Azure AD sync, its not used locally by any means.

Try it. Simply use the workaround. Create a second AD Server on SFOS, enter the second Domain to it. Then add it to Authentication- services - Firewall Authentication. 

but ill give it a shot ;-)

BTW: The selected Domain in your screenshot is the "primary" domain by the user. Therefore the user will likely use this domain for UPN. By adding it to the firewall, it will use this domain and create the user. 

i am not able to put created FQDN into Server IP/domain field?

Did you create a DNS host entry on SFOS? You need to create a FQDN (AD1.yourdomain.local) for example.

doing this actually got me disconnecting from fw after few seconds i log in from Sophos Central. Had to fast delete fqdn record and newly added AD server :-D

ok that was not the case. I got disconnected when i try to list users on fw. What the hell? Maybe bug in new firmware?

gonna try workaround again tommorow then.