Configuring AD SSO

AD SSO (Installing the SSO Program)

Background

The AD SSO program works in two modes:

• Receiving messages from PCs: You need to deploy AD SSO program on the AD monitor (which can be any computer, including the AD controller, in the AD domain). The AD monitor receives login/logout messages from users and sends them to the FW. Configure login and logout scripts on the AD controller and use a group policy to deliver the scripts to clients. The clients must execute the login and logout scripts upon user login and logout, respectively, and send the login and logout information to the AD monitor.
• Querying the security logs of the AD server (AD domain controller): You need to deploy AD SSO program on the AD monitor (which can be any computer, including the AD controller, in the AD domain). The AD monitor queries the security logs of the AD server to obtain user login messages.

If the packets exchanged between the user and the AD server, between the user and the AD monitor, and between the AD monitor and the AD server pass through the FW, ensure that the authentication policy on the FW does not authenticate these packets and the security policy allows them through.

If a user is authenticated by the AD domain controller and the user information exists on the FW, the FW still verifies user attributes, such as the user status, expiration time, IP address binding, and whether users are allowed to share this account. Only the user who succeeds in the attribute verification can access network resources. For example, a user who is locked out cannot access network resources within the lockout duration even if the user is authenticated by the AD domain controller.

AD SSO does not apply to the user names contain a dollar sign ($).

Procedure

• Configure the FW.
  1. Choose Object > User > a specific authentication domain and set Internet Access Authentication Mode to SSO authentication.
  2. In SSO Settings, select the check box of AD SSO.
  3. Set the mode for obtaining login information to By installing the AD SSO program.
  4. Optional: Select Enable in Enhanced Encryption to enable AES128 encryption algorithm.

     Enhanced Encryption indicates that the encryption algorithm AES128 is used for communication between the device and AD monitor. A shared key is dynamically calculated based on the configured shared key for encryption, enhancing security. If this parameter is not configured, the 3DES encryption algorithm is used. The configured shared key is used for encryption.

     To use an enhanced encryption algorithm, ensure that the AD SSO service program supports the enhanced encryption algorithm.

  5. Set the shared key to encrypt packets for communication between the FW and AD monitor.

     The shared key must be the same as that specified when you install the AD SSO service on the AD monitor.

     The shared key cannot contain any question marks (?).

  6. Configure a listening port for the FW to receive the login and logout messages.

     The listening port must be the same as that specified when you install the AD SSO service on the AD monitor.

  7. Optional: Configure AD SSO information synchronization. For details, see Managing Online Users.
• Configure the AD monitor and AD domain controller.

  The configuration varies according to the working mode of the AD SSO program:

  • Querying security logs: For configuration details, see Web: Example for Configuring AD SSO for Internet Access Users (Install ADSSO_Setup.exe to query AD server security logs).
  • Receiving messages from PCs: For configuration details, see Web: Example for Configuring AD SSO for Internet Access Users (Install ADSSO_Setup.exe to receive messages from PCs).
  1. Visit Huawei technical support website to download an AD SSO program package, and decompress the package. Then install ADSSO_Setup.exe on the AD monitor and set the parameters of an AD SSO service.

     The configured parameters are saved in the config.ini file (in the AD SSO folder) under the installation path.

     

     If ADSSO_Setup.exe of an earlier version has been installed on the AD monitor, back up the config.ini file in the installation path first and then uninstall this ADSSO_Setup.exe of an earlier version. After you install ADSSO_Setup.exe of a later version, overwrite the new config.ini file with the one that you have backed up to save the trouble of configuring AD SSO parameters again.

  2. Configure the AD domain controller (for the mode of querying security logs).
     • Ensure that the Windows Management Instrumentation (WMI) and Remote Procedure Call (RPC) services have been enabled on the AD controller and TCP port 445 has been opened.
     • During the group policy configuration, enable Audit logon events and Audit account logon events so that the AD controller can record user login security logs.

  3. Configure the AD domain controller (for the mode of receiving messages from PCs).

     Configure group policies on the AD domain controller, set the login and logout scripts (Logon.exe and Logoff.exe), add the ReportLogin.exe script into the two scripts. You can obtain file ReportLogin.exe from the Script folder in the installation directory of the AD SSO service on the AD monitor.

     

     If you uninstall ADSSO_Setup.exe of an earlier version from the AD monitor and then install one of a later version, obtain the new ReportLogin.exe script and use it to replace the original one on the AD domain controller. Replace the ReportLogin.exe scripts in both the Logon.exe and Logoff.exe scripts.

AD SSO (the FW Monitors AD Authentication Packets)

Background

In this mode, the program does not need to be installed on the AD server. The FW listens to the authentication packets sent by users who log in to the AD server (AD domain controller) to obtain authentication results. If a user is authenticated, the FW adds the mapping between the user name and the user's IP address to the online user list.

In this mode, the FW cannot obtain user logout messages. Users go offline only when their connections time out.

If a FW is deployed between the users and the AD domain controller, authentication packets must pass through the FW. To apply the SSO function, ensure that the authentication policy on the FW does not authenticate the data flow. In addition, the authentication packets must pass the security check of the security policy of the FW. Therefore, the administrator needs to configure the following security policy on the FW:

• Source Zone: indicates the security zone where the PC resides.

• Destination Zone: indicates the security zone where the AD server resides.

• Destination Address: indicates the IP address of the AD server.

• Action: permit.

If a user is authenticated by the AD domain controller and the user information exists on the FW, the FW still verifies user attributes, such as the user status, expiration time, IP address binding, and whether users are allowed to share this account. Only the user who succeeds in the attribute verification can access network resources. For example, a user who is locked out cannot access network resources within the lockout duration even if the user is authenticated by the AD domain controller.

AD SSO does not apply to the user names contain a dollar sign ($).

Procedure

1. Choose Object > User > a specific authentication domain, set Internet Access Authentication Mode to SSO authentication.
2. In SSO Settings, select the check box of AD SSO.
3. Set the mode for obtaining login information to By listening to the AD server.
4. Optional: If authentication packets from users to the AD server do not pass through the FW, select Receive a copy of authentication packets and specify a mirroring port.

   The mirroring port must be an independent Layer-2 port and cannot be used for other services.

   Management port (MEth 0/0/0 or GigabitEthernet 0/0/0) cannot receive mirroring packets.

   The Receiving Interface drop-down list displays only Layer-2 ports. If no Layer-2 port is available, choose Network > Interface to switch a Layer-3 interface into a Layer-2 one as the mirroring port.

   

   If Receive a copy of authentication packets is selected and a mirroring interface is specified on the FW, the interface parses only AD authentication packets and discards other packets. When both authentication packets and service packets are mirrored by the switch to the FW deployed in bypass mode, do not perform this step.

5. Specify the IP address and port of the AD server to be listened to.

   The port must be the one used by the AD server. Usually, an AD server uses UDP port 88 to send AD authentication results. Therefore, set the parameter value to AD-server-address:88.

6. Optional: Configure AD SSO information synchronization. For details, see Managing Online Users.