Keep the upn added to the userid for multiple domain authentication
In case of a multiple domain environment, it would be nice to route the users authentication requests to the right authentication server based on their UPN (@domain.local).
Unfortunately, the Sophos XG will removef the UPN, and will only send the userid to the authentication server.
So for example, using radius proxy for sending the authentication requests to the right AD server will not work, as we can not make a routing desicion based on the UPN.
This is for many customers a big issue.
In Cyberoam OS 10.6.2, the UPN is untouched, but from releases higher than that or Sophos XG, the UPN is being removed bij the system.
Please fix this.
... funny thing is... it can already extraxt the suffix of the upn... :
DEBUG Aug 16 15:33:20 [ADS_AUTH]: (adsauth_handle_authrequest): Domain name not present in request
DEBUG Aug 16 15:33:20 [ADS_AUTH]: (adsauth_handle_authrequest): Extracted domainname domain.eu' from username
ERROR Aug 16 15:33:20 [ADS_AUTH]: (adsauth_handle_authrequest): domain name '' not found
but then is not using the freakin thing
I was working in try to solve this issue thinking that may the problem comes from my set up of my RADIUS Server and there is no more option, just import everything directly from the AD.
The issue comes from de XG that removef the UPN, and will only send the userid... I can´t believe how many people are suffering this..
Please if someone find a workaround for this, share it! and Sophos, please work on it because as many people said is a big problem for us.
Classic Evolutions commented
It's been 3 years 101 votes and still this has not been implemented. Shame on you Sophos.
Danie De Jager commented
Its so big an issue that I will have to stop using sophos if UPN is not supported!
With our move to 365 we had to add a upn. Beware office 365/upn admins. XG will make you cry!
Kyle Winfield commented
Synchronized User ID should use or allow for the use of User Principal Name (UPN) instead of sAMAccountName. sAMAccountName is a legacy attribute that hasn't been used since Windows NT. With the implementation of Office 365 our organization was forced to add a UPN suffix in order to federate our identities and most applications now support that and use UPN for login ID. STAS is not a viable alternative as the limitations are well known (logging in with cached credentials, changing network connection type, etc).
Iain Ashley commented
I found that it does not use the UPN at all, just the SAM account name.