Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 28 subscribers
  • Views 6017 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Active Directory w/ subdomains: authentication fails for users of subdomain

Denny G.

Hi all,

we have XG-310 (FW: HW-SFOS_16.05.6_MR-6.SF300-266) with some REDs setup as a trial. This works as intended but we have some trouble with the AD connection.

We have a root-domain and a subdomain for each subsidiary. We have a global security group "Sophos Users" in the domain "company.com". In this group are users and groups from all domains (e.g. john@company.com, mary@de.company.com, neo@uk.company.com, allusers@ca.company.com).

Although using the global catalog port (3268), users from the subdomains cannot login. This is because the XG is prefixing every username with the "NETBIOS Domain" (which is a mandatory field when adding an AD connection). The NETBIOS name is in our case "COMPANY"

 

Example:

john is sent as "COMPANY\john" to the AD server -> user can login
mary is sent as "COMPANY\mary" to the AD server which fails because her account is "DE\mary" -> user cannot login
DE\mary ist sent as "COMPANY\DE\\mary" to the AD server which fails even harder (of course) -> user cannot login

 

Right now we are using a workaround by adding an authentication server for each domain. But, this is ... crap.

Did anyone else run into this issue and fixed it?

 

Thanks,

Denny



This thread was automatically locked due to age.
  • 0

    Hi Denny , 

    In this case you may need to use the use username@de.sophos.com and user@company.com and adjust the attributes in the Authentication server.

  • 0 in reply to Aditya Patel

    Users from the root domain are fine with user@company.com. Users from a subdomain cannot login with user@subdomain.company.com either.

    Interesting: when entering the username from a subdomain-user I can see the wrong login ("company\username") in tcpdump received by the AD server. When using username@subdomain.company.com no auth request seems to be sent to the AD server because it's not bein recorded by tcpdump.

    My current configuration looks like this:

    Adding more "detailed" search-queries (eg. dc=subdomain1,dc=company,dc=com etc) did not help in any case.

     

    Any addtional thoughts?