We often use the UPN feature in Active Directory. If you don’t know what this is: it lets us use the people’s emailname as the login like dennis@360ict.nl instead of 360ict\dennis. You can find more on the UPN here and here.

The trouble was that we couldn’t get this to work in UTM, so i started a thread  a year ago and finally got Sophos support involved. Support did get it to work but i (on our test systems) and our reseller Contec ISC (on their test systems) couldn’t. They were silent after a while, so i decided to do some more digging myself. It turns out you shouldn’t use the test button in the authentication server section when using LDAP, how foolish of me..  :evil:. After i used the userportal to test everything went fine. I’ve sent an email to the sophos support to get more explanation on this, i suspect a bug in that test button.

So, that’s the short story. Here comes the long version on how to configure UPN logins on your UTM and more importantly, how to test UPN logins. This might work on other LDAP attributes like emailadress, but i haven’t tried that.

First you need to set a LDAP Authentication Server;

To read objects from the LDAP server, the UTM needs an user account to read out the LDAP server. So you need to create a user account (no special or admin rights needed) and fill the LDAP path to this object.

You can find the LDAP path in the “Active Directory Users and Computers tool” (or in adsiedit), i chose ADUC with the advanced features enabled and opened up the “attributes editor” tab and scrolled to “distinguished name”, opened it and copied it out and pasted it in the UTM under “Bind DN”;

You need to set a Base DN, this is the point from where the UTM is looking at your LDAP server. If you want your whole AD to be seen from the UTM, just point it to the root of you AD, like i did;

Click on Save (else you can’t test it). The server test should display;

And the user in the UTM should display;

But don’t be alarmed as the account has no other user groups than LDAP, as i found out the hard way (re-read the intro about that).

If you want to troubleshoot user authentication, you can use the logfiles in the webadmin gui, you want the “User authentication daemon”.

On the console you can look at aua.log. To set it in debug mode, run this command on the console;

killall -USR2 aua.bin

Be aware debug mode will show you all. And i mean all because it will display the passwords in plain text, so be sure to reset the debug mode to normal (run the command again) and to wipe the logfile.

A normal logging level while doing a bind test will show you this;
2013:12:19-12:37:47 abn-tsasg1 aua[23503]: id=”3006″ severity=”info” sys=”System” sub=”auth” name=”Spawned child for authentication test”
2013:12:19-12:37:47 abn-tsasg1 aua[23503]: id=”3006″ severity=”info” sys=”System” sub=”auth” name=”Bind test request: adirectory”
2013:12:19-12:37:47 abn-tsasg1 aua[23503]: id=”3006″ severity=”info” sys=”System” sub=”auth” name=”Bind test successfull. Method: adirectory

And debug mode shows;
2013:12:19-12:36:01 abn-tsasg1 aua[3398]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”handle_client:
test:adirectory,10.100.129.225,0,389,Vel0cett3,CN=Administrator,CN=Users,DC=velocette,DC=internal”
2013:12:19-12:36:02 abn-tsasg1 aua[3398]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”Request: $VAR1 = [
2013:12:19-12:36:02 abn-tsasg1 aua[3398]: ‘test:adirectory’,
2013:12:19-12:36:02 abn-tsasg1 aua[3398]: ‘10.100.129.225’,
2013:12:19-12:36:02 abn-tsasg1 aua[3398]: ‘0’,
2013:12:19-12:36:02 abn-tsasg1 aua[3398]: ‘389’,
2013:12:19-12:36:02 abn-tsasg1 aua[3398]: ‘Vel0cett3’,
2013:12:19-12:36:02 abn-tsasg1 aua[3398]: ‘CN=Administrator,CN=Users,DC=velocette,DC=internal’
2013:12:19-12:36:02 abn-tsasg1 aua[3398]: ];
2013:12:19-12:36:02 abn-tsasg1 aua[3398]: “
2013:12:19-12:36:03 abn-tsasg1 aua[3398]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”Client requested bind test of method: adirectory”
2013:12:19-12:36:03 abn-tsasg1 aua[3398]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”Master: waiting for new connection.”
2013:12:19-12:36:03 abn-tsasg1 aua[23181]: id=”3006″ severity=”info” sys=”System” sub=”auth” name=”Spawned child for authentication test”
2013:12:19-12:36:03 abn-tsasg1 aua[23181]: id=”3006″ severity=”info” sys=”System” sub=”auth” name=”Bind test request: adirectory”
2013:12:19-12:36:03 abn-tsasg1 aua[23181]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”performing bind test for method: adirectory”
2013:12:19-12:36:03 abn-tsasg1 aua[23181]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”performing bind test to ldap://10.100.129.225:389″
2013:12:19-12:36:05 abn-tsasg1 aua[23181]: id=”3006″ severity=”info” sys=”System” sub=”auth” name=”Bind test successfull. Method: adirectory”
2013:12:19-12:36:05 abn-tsasg1 aua[23181]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”sending result to client”
2013:12:19-12:36:05 abn-tsasg1 aua[23181]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”test finished”
(these logs are from sophos support)

This is enough to let the users authenticate with UPN, but to make it a bit more useful we will configure the user portal so you can see how the groups should be set up. Go to “Users & Groups” in the webadmin and configure a LDAP group;

You can’t test the group memberships except use debug mode and look at the console. Again, don’t trust the test button on the “server authentication” as explained earlier.

I’m not gonna explain how the user portal and it’s features work, you can find that in the help of UTM. If you want to authenticate using the UPN in the user portal, you need to add the LDAP group to the user portal;

If you logon to the user portal with an UPN name and you have debug mode enabled, you should see this in the logs;
2013:11:20-11:10:59 UTM9 aua[3268]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”handle_client: portal,upntest@astarosupport.de,password,192.168.70.3″
2013:11:20-11:11:00 UTM9 aua[8198]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”Entering do_auth_ldap”
2013:11:20-11:11:00 UTM9 aua[8198]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”Entering do_auth_directory: server=10.128.13.150 port=389 ssl=0 bind_dn=cn=administrator, cn=users, DC=astarosupport, dc=de base_dn=DC=astarosupport, dc=de”
2013:11:20-11:11:00 UTM9 aua[8198]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”ldapFilter: (&(objectClass=*)(userPrincipalName=upntest@astarosupport.de))”
2013:11:20-11:11:00 UTM9 aua[8198]: id=”3007″ severity=”debug” sys=”System” sub=”auth” name=”server_groups: memberof:cn=local_group-sid,cn=users,dc=astarosupport,dc=de,memberof:*,memberof:cn=internet_full-access,cn=users,dc=astarosupport,dc=de,memberof:*,memberof:cn=internet_limitited,cn=users,dc=astarosupport,dc=de,memberof:*,memberof:cn=esx

You can see the memberof being correctly read as it shows you the group memberships (this log is actually from Sophos support) but don’t test with the test button on the authentication server page, this will yield no results and makes the whole thing even harder to troubleshoot.

I also found out that the LDAP authentication tries to create the user again and fails if it’s already created using an AD server. In my testing i had set the “create users automatically” set to on;

Most of the time i want this on, as SSO otherwise don’t has much use. This had created the user “Dennis” and conflicted with the user creation of dennis@360ict.nl. The debug log showed me;

that could be easily solved: delete the user “dennis” and after that i could succesfully login into the user portal.

UTM showed the newly created user as dennis@360ict.nl;

I think this has to do with the uniqueness of the email adress property in the UTM, but that’s just a hunch.

Update:
i tested on a system that hasn’t set the email property in the AD account (=has no exchange in the domain) and on that system i could login with both the UPN name and the AD name and both users got created in UTM. So my guess is that having set the same email property in 2 accounts in the AD prevents UTM to have both users automatically created.

Categories: Sophos UTM

6 Comments

  1. Jinm

    This dont works

    1. Dennis Pennings

      could you clarify a bit? We have it working on 3 different UTMs, so i know it works. It took me a long time though to find the right settings, so show me what your config is and what does and what does not work.

  2. Erik

    Thanks. Due to your comment on e-mailaddress I finally was able to get logged in at the Userportal.. Dit cost me half a day…

  3. Frank

    My Bind DN was working with just the ‘username’ and now all of a sudden it stopped. I get the follow error “Error: Server exists and accepts connections, but bind to ldap://10.10.52.1:389 failed with this Bind DN and Password.”

    1. Dennis Pennings

      Did you test the LDAP server for correct service credentials? Seems to me your account used to connect to LDAP does not seem to work.

      In the above post, click the TEST buttons onder the section
      “First you need to set a LDAP Authentication Server”

  4. wiLLow

    Hello Frank,

    that is a bug in the new Firmware.
    If you retype the password and click on TEST, the test will pass. If you save it and try ig again – it will fail.

Leave a Reply

Your email address will not be published. Required fields are marked *

*