Skip to content

Configure AD SSO web authentication

Sophos Firewall supports NTLM and Kerberos web authentication for Active Directory single sign-on (AD SSO). See Authentication methods.

You must configure the following steps:

  1. Specify a hostname for Sophos Firewall.
  2. Configure an Active Directory (AD) server.
  3. Confirm that the AD server is the primary service for authentication.
  4. Turn on AD SSO for the zones requiring NTLM and Kerberos authentication.
  5. Turn on NTLM and Kerberos authentication for Web authentication.

Configure a hostname

For NTLM, you can configure a hostname or a fully qualified domain name (FQDN). To work correctly, Kerberos requires an FQDN.

  1. Go to Administration > Admin and user settings.
  2. For Hostname, enter a hostname or an FQDN.

    Example: sophosfirewall or sophosfirewall.mycompany.com

    If you configure an FQDN, the firewall uses the host part to join the AD domain, then appends the AD domain to it within AD. So, you can configure sophosfirewall.mycompany.com, but it's stored in AD as sophosfirewall.mycompany.local. This matters in DNS and Kerberos authentication. We recommend that you use the lowercase because Kerberos is case-sensitive.

    Note

    By default, the serial number is used as the hostname if you don't configure a specific FQDN hostname during the initial setup of the firewall.

  3. Click Apply.

Configure redirection location

  1. Go to Administration > Admin and user settings.
  2. Under Admin console and end-user interaction, select and configure the appropriate redirection setting:

    If you use Kerberos in transparent mode, the hostname used in redirection must be the hostname AD knows. This can be different from the configured one.

    On the client, you can run setspn -Q HTTP/* to confirm the Service Principal Name (SPN) of the firewall. You must use the same value in redirection. Make sure that it can be resolved in DNS.

    If you use NTLM in transparent mode with a hostname for redirection, the client automatically trust the server to send credentials to it.

    If you use an FQDN for redirection, the client needs to be configured to trust it.

    See Configure NTLM support in browsers.

  3. Click Apply.

Add an AD server

Add an AD server that includes a search query. You’ll need the following information to complete this task:

  • Domain name
  • NetBIOS domain
  • Username and password of a domain-joined user

    Tip

    Any domain-joined user account can query, search, and read AD group membership and is sufficient for non-AD SSO. However, you require an account that's a member of Domain Admins to join the computer to AD SSO. You can change the permission to a user account later.

Check the properties of the AD server. For example, on Microsoft Windows, go to Windows Administrative Tools.

Search queries are based on the domain name (DN). In this example, the DN is contoso.com, so the search query is: dc=contoso,dc=com.

  1. Go to Authentication > Servers and click Add.
  2. Configure the following:

    Note

    For settings not listed here, use the default value.

    Setting Value
    Server type Active Directory
    Server name My_AD_Server
    Server IP/domain 192.168.1.100
    NetBIOS domain contoso
    ADS user name <username>
    Password <password>
    Domain name contoso.com
    Search queries dc=contoso,dc=com
  3. Click Test connection to validate the user credentials and check the connection to the server.

    Note

    If you're having issues connecting the firewall to the AD server for AD SSO, try changing the Connection security to Plaintext. While Test connection may work, the AD SSO connection can sometimes have issues with increased connection security. Lowering security temporarily during debugging can determine if that's the issue, and needs further investigation.

  4. Click Save.

Set primary authentication method

To query the AD server first, set it as the primary authentication method. When users sign in to the firewall for the first time, they're automatically added as a member of the default group specified.

  1. Go to Authentication > Services.
  2. In the Authentication server list under Firewall authentication methods, select My_AD_Server.
  3. Move the server to the first position in the list of selected servers.

    Authentication servers.

  4. Click Apply.

  5. Go to Authentication > Groups and verify the imported groups.

Note

AD SSO connects to the servers in the order of their listing under Selected authentication server. It only connects to the other servers if it can't reach the preceding servers.

Turn on AD SSO for LAN zones

Turn on AD authentication for the required zones.

AD authentication is required for Kerberos and NTLM to work.

  1. Go to Administration > Device access.
  2. Select the checkbox to turn on AD SSO for the LAN zone. You can also turn on AD SSO for other zones if required.
  3. Click Apply.

Turn on Kerberos and NTLM authentication for web authentication

Allow browsers to authenticate using Kerberos and NTLM.

  1. Go to Authentication > Web authentication.
  2. Under If Active Directory (AD) SSO is configured, select Kerberos & NTLM.
  3. Click Apply.

Check Kerberos and NTLM connection

Use the log viewer to check if Kerberos and NTLM is working and that web requests are being authenticated correctly.

  1. Open Log viewer.
  2. In the drop-down list, select Authentication.

When the firewall initially connects with the AD server, it will log the messages Kerberos authentication initialized successfully and NTLM authentication channel established successfully.

AD SSO won't work if the message Cannot initialize Kerberos authentication or Cannot establish NTLM authentication channel appears. The firewall requires both NTLM and Kerberos to be configured and working correctly with the AD server before it offers either one to web clients. In this case, check the configured AD server. Try changing the Connection security to Plaintext, and make sure that the AD server account is a member of Domain Admins. More detailed error messages may be available on the AD server for why the server refuses the connection.

Successful authentications are shown in this log if you configure web requests to require web authentication. The Log Comp column indicates if the client uses NTLM or Kerberos.

Note

If you want the client to use Kerberos, but it's using NTLM, the client may not be matching the Service Principal Name (SPN). On the client, run the command setspn -Q HTTP/*. For transparent mode, the configured redirection URL must match the SPN. For standard mode, the proxy configured in the browser must match the SPN.

More resources