Turn on Kerberos authentication
Configure Kerberos authentication in Sophos Firewall.
When you complete this unit, you'll know how to do the following:
- Specify a hostname for Sophos Firewall.
- Configure an Active Directory server.
- Confirm the Active Directory server is the primary service for authentication.
- Turn on AD SSO for the zones requiring Kerberos authentication.
- Turn on Kerberos authentication for Web authentication.
Configure a hostname
Services such as Kerberos require a fully qualified hostname to work correctly.
- Go to Administration > Admin and user settings
For Hostname enter an FQDN. Example:
By default, the serial number is used as the hostname if you don't configure a specific FQDN hostname during the initial setup of Sophos Firewall.
Add an Active Directory server
First, you add an Active Directory server that includes a search query.
You’ll need the following information to complete this task:
- Domain name
- NetBIOS domain
- Active Directory server password
Check the properties of the Active Directory server. For example, on Microsoft Windows, go to Windows Administrative Tools.
Search queries are based on the domain name (DN). In this example, the domain name is
sophos.com, so the search query is:
- Go to Authentication > Servers and click Add.
Specify the settings.
For settings not listed here, use the default value.
Use the password configured on the Active Directory server.
Option Value Server type Active directory Server name My_AD_Server Server IP/domain 192.168.1.100 NetBIOS domain sophos ADS username administrator Password <AD server password> Domain name sophos.com Search queries dc=sophos,dc=com
Click Test connection to validate the user credentials and check the connection to the server.
When both synchronized user ID and STAS are configured, the authentication server uses the mechanism from which it receives the sign-in request first.
Set primary authentication method
To query the Active Directory server first, set it as the primary authentication method. When users sign in to the firewall for the first time, they're automatically added as a member of the default group specified.
- Go to Authentication > Services.
- In the authentication server list under Firewall authentication methods, select My_AD_Server.
Move the server to the first position in the list of selected servers.
Go to Authentication > Groups and verify the imported groups.
Turn on AD SSO for LAN zones
Turn on Active Directory authentication for the required zones.
Active Directory authentication is required for Kerberos or NTLM to work.
- Go to Administration > Device access.
- Use the checkbox to turn on AD SSO for the LAN zone. You can also turn on AD SSO for other zones if required.
- Click Apply.
Turn on Kerberos authentication for Web authentication
Allows browsers to authenticate using Kerberos.
- Go to Authentication > Web authentication.
- Make sure Kerberos & NTLM is selected under If Active Directory (AD) SSO is configured.
- Click Apply.
Check Kerberos connection
Use the log viewer to check Kerberos is working.
Once Kerberos has been configured you can check that web requests are being authenticated correctly.
- Open the log viewer.
- Using the drop-down menu select the Authentication logs.
- Open a web page in your browser.
- Check that Kerberos is the authentication protocol used in the Log component column for the web request.