Authentication server could not be deleted. Authentication server is used as primary or secondary authentication server – Sophos XG

Sophos XG AD integration problem.

This usually can occur when trying to decommission a Dc server used for AUTH in Sophos XG.

You cant remove such servers if there is still a config pointing to them in Services


Make sure you add the new AD servers in the AUTH or either if you going to remove the authentication .

Step 1 Add the new Servers ( otherwise go step2 if you removing AD AUTH )

Ensure this details are filled up correctly

Server name: Name of the server

Server/ip : domain: Recommended to USE FQDN ( for this your XG must be able to resolve the DC names using a dns )

Connection security: Recommended SSL/TLS + Port 636

Netbios domain: your domain name only ( do not fill it up with .local or other)

Ad username and password for sync

Validate certificate: leave ON

Setup the attributes. In this case is Display name , mail , domain name ( format .local ) and the main query for DC canonical name root

Test that your DC is in sync properly with the button “Test connection”

Step2 Remove the old DCS from Services

Make sure you remove old entries from any authentication and leave only the running servers

Remove entries from Firewall AUTH methods

Repeat steps for “user portal authentication methods ( if applies)

Repeat steps for ipsec /l2tp/pptp ( if applies)

For Administration Methods ( not recommended to use AD here ) – Security Reasons


Once you have setup correctly you will be able to remove the DCS no longer used sucesfully


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.