Endpoint computer can't authenticate via NTLM due to the redirection URL

Condition

When attempting to authenticate via Active Directory SSO using NTLM with the HTTP proxy in transparent mode, the NTLM authentication fails. The browser displays a pop-up asking for credentials or directs users to the captive portal.

Cause

Browsers will only automatically send login credentials (single sign-on) if they're sure that the site requesting them is local. So either the site requesting them must be a bare hostname (without the domain, for example, myfirewall), or the browser must trust the requesting site.

The default configuration is for the Sophos Firewall to redirect the proxy to a URL containing the IP. You must change this to use either a bare hostname or an FQDN.

Remedy

  1. Configure a hostname on Sophos Firewall. Go to Administration > Admin and user settings > Hostname.
    1. Enter a Hostname. You must use a fully qualified domain name (FQDN) that matches your organization domain. For example, myfirewall.mycompany.com.
  2. Select a certificate that browsers will automatically trust.
    Note The self-signed certificate that comes installed on Sophos Firewall doesn't come from a trusted certificate authority and doesn't cover the hostname or FQDN that you've configured. To remove browser warnings about certificates, the certificate must cover the hostname or FQDN that traffic is redirected to.
    1. If you need to install a new certificate that covers the hostname of Sophos Firewall, you can do this under the Certificates menu. For more information, see Install a subordinate certificate authority (CA) for HTTPS inspection.
    2. Under Admin console and end-user interaction > Certificate, select the certificate to use from the drop-down menu.

      The certificate can be one that has been purchased from a public certificate authority and is automatically trusted by all clients. Alternately, it can be a self-signed certificate from an internal certificate authority that the endpoint computers have been configured to trust.

  3. Set the proxy redirection URL.
    1. To use the configured FQDN of Sophos Firewall, go to Administration > Admin and user settings > Admin console and end-user interaction, and select Use the firewall's configured hostname.
    2. To use a different FQDN or a bare hostname, go to Administration > Admin and user settings > Admin console and end-user interaction, select Use a different hostname, and enter the hostname you want to use.
      Note Make sure the endpoint computer can resolve the Sophos Firewall by the method you select. You may need to add entries to your DNS server.
  4. If you're redirecting using a bare hostname, the browser will see that the requester is local and automatically trust it to perform SSO.
  5. If you're redirecting using an FQDN, configure your browser to trust the FQDN of Sophos Firewall using AD Group Policy. Alternatively, to manually add the FQDN to a browser, follow the steps below.

    For Microsoft Edge and Google Chrome.

    1. Open the windows control panel.
    2. Go to Internet Options > Security > Local Intranet.
    3. Click Sites, and then Advanced.
    4. Type the FQDN into the field Add this website to the zone and click Add.

    For Firefox.

    1. Type about:config into the Firefox address bar and press Enter.
    2. Enter the FQDN into network.automatic-ntlm-auth.trusted-uris.