Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 8256 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Authenticate Using UserPrincipalName?

ITAdmin8

Hi,

we're using Sophos XG (now updated to 16) to publish Outlook Web Application, is it possible to authenticate our AD users using their UserPrincipalName (which matches their email address)? At the moment the username is their sAMAccountName.

On the Authentication > Servers screen we can define the 'Display Name Attribute' and 'Email Address Attribute' but I can't see a way of defining the username.

many thanks,

Tom



This thread was automatically locked due to age.
  • 0

    I've been doing a bit more testing and I'm pretty sure we should be able to do this by using an LDAP server connection instead. However, when I try to connect we get the error message in the authentication logs:

    User xxx failed to login to WAF through LDAP, Local authentication mechanism because of wrong credentials.

    I've set the LDAP server up to point to one of our DCs and the test connection looks ok, it found the base DN ok and I've set the 'Authentication Attribute' to userPrincipalName

    The most confusing field on this is 'Group Name Attribute' - what is this used for and what should it be set as?

    cheers,

    Tom

  • 0 in reply to ITAdmin8

    Tom,

    can you share your authentication mechanism inside the Business Application Rule (BAR)? SSO should work with no issue. If you have AD, go for it. LDAP is a little bit more complex and I recommend you to use it only when you have a Linux Machine.

    Thanks

  • 0 in reply to lferrara

    Hi,

    thanks for the suggestion - I managed to get LDAP working though and it is now doing exactly what we wanted.

    My main problem was due to the username setting - I had to use the CN=username,OU=conatainer etc format (with the base DN removed from the username). Once I'd got this set correctly everything was fine.

    cheers,

    Tom