User Portal - AD Login

HI!

we have a Sophos 120 with UTM 9.002-12.

I want too use SSL-VPN, but problem starts at the user portal login.

Definitions & Users > Authentication Servers > Servers
I created a AD connection with a AD-USer who is in the Builtin Group "Account Operator"
When I test the connection -> OK
Authenticate example user:

• >User authentication:
• Authentication test passed.
• >User is a member of the following groups:
• VPN_SSL_AD
• User_Portal_AD
• Active Directory Users

-> OK

Automatic user creation and Prefetch is of

Definitions & Users > Users & Groups > Groups
I have added Group

• "User_Portal_AD"
• Backend
• Active Driectory
• Limit to backend
• selected my user group from AD (with the sophos built in tool)
• CN=User_Portal,OU=...,DC=subdomain,DC=domain,DC=lo cal

Management > User Portal

• Allowed Net: Any
• Allowed Users: User_Portal_AD

Network settings:

• Hostname: some name (has this FQDN to be really reachable?)
• Listen: Any
• Port: 443

Now I try to access the User portal. enter username (userPrincipalName) tried CN to.
but allways get the message: Invalid username/password, or access denied by policy.

in AUA log it says:
since I tried LDAP (I think) I get the message sometimes too.

Is there any failure in my config? any hints?
do I have to add some firewall rules?

hope this is the right subforum.

br Bernhard