Skip to content

Synchronized user ID authentication

Synchronized user ID authentication uses the Security Heartbeat to provide user authentication for endpoint users.

Synchronized user ID works with Active Directory (AD) configured as an authentication server in Sophos Firewall and is currently supported for Windows 7 and Windows 10. No agents are required on the server or clients, nor does it share or use any password information. The synchronized user ID doesn't work with other directory services, and it doesn't recognize local users. The synchronized user ID shares the domain user account information from the endpoint device the user is signed in to with Sophos Firewall via Security Heartbeat. Sophos Firewall then checks the user account against the configured AD server and activates the user.

Sophos Endpoint Protection passes Windows sign-in information to Sophos Firewall. Sophos Firewall uses this information to authenticate against AD. This authentication is used to trigger user-based policies and general user authentication on the firewall.

The Sophos Firewall synchronized user identity authentication process is as follows:

  1. Users sign in to Windows using their domain credentials, username, password, and domain name.
  2. The Sophos Firewall heartbeat daemon receives the clients' heartbeat status along with the domain name and username. The domain is taken from the User Principle Name (UPN) of the users' AD record, and the username is taken from the sAMAccountName.
  3. Sophos Firewall then checks the correct AD server to serve this sign-in request based on the domain and looks for the correct username in the Sophos Firewall user database.
  4. Sophos Firewall heartbeat forwards the user sign-in request to the Active Directory server.
  5. The signed-in user is displayed on the live user page.

If an endpoint heartbeat is lost or missing, the heartbeat daemon signs out the user from the firewall as a synchronized ID user. However, other endpoint authentication mechanisms may still apply.

For synchronized user ID authentication to work, the following conditions must be met:

  • A Sophos Central account must be linked to Sophos Firewall.
  • Sophos Firewall must be connected to the domain controller for AD authentication.
  • The users in the Sophos Central account must have the same profile. For example, in Sophos Central Admin, the user profile must contain the email address used on Sophos Firewall and in AD.
  • For the local users on Sophos Firewall, use the same email address as defined in the Sophos Central account.
  • In AD, the domain part of the UPN must exactly match the domain configured for your AD server in Sophos Firewall.

Synchronized user ID authentication is turned on by default. Do the following to turn it off:

  1. Access the Advanced Shell.
  2. Enter the following command to turn the feature off: touch /content/no_userid
  3. Restart the access_server service using this command: service access_server:restart -ds nosync

    Warning

    This advanced shell command isn't added to backups. You must enter the command again if you restore the backup to a different firewall.

Tip

You can temporarily turn off Synchronized user ID authentication by using the following command: touch /tmp/no_userid.

This advanced shell command won't remain after a restart. It isn't added to backups.

To turn Synchronized User ID authentication back on, do the following:

  1. Access the Advanced Shell.
  2. Enter the following command to turn the feature on: rm /content/no_userid
  3. Restart the access_server service using this command: service access_server:restart -ds nosync

Note

If HA cluster is configured, you must turn Synchronized user ID authentication on or off from both the devices of the HA cluster.