Configuring AD SSO

AD SSO (Installing the SSO Program)

Background

The AD SSO program works in two modes:

• Receiving messages from PCs: You need to deploy AD SSO program on the AD monitor (which can be any computer, including the AD controller, in the AD domain). The AD monitor receives login/logout messages from users and sends them to the FW. Configure login and logout scripts on the AD controller and use a group policy to deliver the scripts to clients. The clients must execute the login and logout scripts upon user login and logout, respectively, and send the login and logout information to the AD monitor.
• Querying the security logs of the AD server (AD domain controller): You need to deploy AD SSO program on the AD monitor (which can be any computer, including the AD controller, in the AD domain). The AD monitor queries the security logs of the AD server to obtain user login messages.

If the packets exchanged between the user and the AD server, between the user and the AD monitor, and between the AD monitor and the AD server pass through the FW, ensure that the authentication policy on the FW does not authenticate these packets and the security policy allows them through.

If a user is authenticated by the AD domain controller and the user information exists on the FW, the FW still verifies user attributes, such as the user status, expiration time, IP address binding, and whether users are allowed to share this account. Only the user who succeeds in the attribute verification can access network resources. For example, a user who is locked out cannot access network resources within the lockout duration even if the user is authenticated by the AD domain controller.

AD SSO does not apply to the user names contain a dollar sign ($).

Procedure

• Configure the AD monitor and AD domain controller.

  The configuration varies according to the working mode of the AD SSO program:

  • Querying security logs: For configuration details, see CLI: Example for Configuring AD SSO for Internet Access Users (Install ADSSO_Setup.exe to query AD server security logs).
  • Receiving messages from PCs: For configuration details, see CLI: Example for Configuring AD SSO for Internet Access Users (Install ADSSO_Setup.exe to Receive Messages from PCs).
  1. Visit Huawei technical support website to download an AD SSO program package, and decompress the package.
  2. Install ADSSO_Setup.exe on the AD monitor and set the parameters of an AD SSO service.

     The configured parameters are saved in the config.ini file (in the AD SSO folder) under the installation path.

     

     If ADSSO_Setup.exe of an earlier version has been installed on the AD monitor, back up the config.ini file in the installation path first and then uninstall this ADSSO_Setup.exe of an earlier version. After you install ADSSO_Setup.exe of a later version, overwrite the new config.ini file with the one that you have backed up to save the trouble of configuring AD SSO parameters again.

  3. Configure the AD domain controller (for the mode of querying security logs).
     • Ensure that the Windows Management Instrumentation (WMI) and Remote Procedure Call (RPC) services have been enabled on the AD controller and TCP port 445 has been opened.
     • During the group policy configuration, enable Audit logon events and Audit account logon events so that the AD controller can record user login security logs.

  4. Configure the AD domain controller (for the mode of receiving messages from PCs).

     Configure group policies on the AD domain controller, set the login and logout scripts (Logon.exe and Logoff.exe), add the ReportLogin.exe script into the two scripts. You can obtain file ReportLogin.exe from the Script folder in the installation directory of the AD SSO service on the AD monitor. For details, see Web: Example for Configuring AD SSO for Internet Access Users (Install ADSSO_Setup.exe to receive messages from PCs).

     

     If you uninstall ADSSO_Setup.exe of an earlier version from the AD monitor and then install one of a later version, obtain the new ReportLogin.exe script and use it to replace the original one on the AD domain controller. Replace the ReportLogin.exe scripts in both the Logon.exe and Logoff.exe scripts.

• Configure the FW.
  1. Access the AD SSO view from the system view.

     user-manage single-sign-on ad

  2. Optional: Set the AD SSO mode to installing AD SSO service program.

     mode plug-in

     The installing AD SSO service program mode is used by default.

  3. Configure a listening port for the FW to receive the login and logout messages.

     plug-in port port-number

     The listening port must be the same as that specified when you install the AD SSO service on the AD monitor.

  4. Configure a shared key used to encrypt packets during the communication between the FW and AD monitor.

     plug-in [ enhanced ] shared-key shared-key

     The shared key must be the same as that specified when you install the AD SSO service on the AD monitor.

     The shared key cannot contain any question marks (?).

     enhanced indicates that the encryption algorithm AES128 is used for communication between the device and AD monitor. A shared key is dynamically calculated based on the configured shared key for encryption, enhancing security. If this parameter is not configured, the 3DES encryption algorithm is used. The configured shared key is used for encryption.

     To use an enhanced encryption algorithm, ensure that the AD SSO service program supports the enhanced encryption algorithm.

  5. Enable AD SSO.

     enable

  6. Optional: Configure AD SSO information synchronization. For details, see Configuring Online User Information Synchronization.

AD SSO (the FW Monitors AD Authentication Packets)

Background

In this mode, the program does not need to be installed on the AD server. The FW listens to the authentication packets sent by users who log in to the AD server (AD domain controller) to obtain authentication results. If a user is authenticated, the FW adds the mapping between the user name and the user's IP address to the online user list.

In this mode, the FW cannot obtain user logout messages. Users go offline only when their connections time out.

If a FW is deployed between the users and the AD domain controller, authentication packets must pass through the FW. To apply the SSO function, ensure that the authentication policy on the FW does not authenticate the data flow. In addition, the authentication packets must pass the security check of the security policy of the FW. Therefore, the administrator needs to configure the following security policy on the FW:

• Source Zone: indicates the security zone where the PC resides.

• Destination Zone: indicates the security zone where the AD server resides.

• Destination Address: indicates the IP address of the AD server.

• Action: permit.

If a user is authenticated by the AD domain controller and the user information exists on the FW, the FW still verifies user attributes, such as the user status, expiration time, IP address binding, and whether users are allowed to share this account. Only the user who succeeds in the attribute verification can access network resources. For example, a user who is locked out cannot access network resources within the lockout duration even if the user is authenticated by the AD domain controller.

AD SSO does not apply to the user names contain a dollar sign ($).

Procedure

1. Access the AD SSO view from the system view.

   user-manage single-sign-on ad

2. Set the AD SSO mode to monitoring AD authentication packets.

   mode no-plug-in

3. Specify the IP address and port of the AD server to be listened to.

   no-plug-in traffic server-ip ipv4-address port port-number

   The port must be the one used by the AD server. Usually, an AD server uses UDP port 88 to send AD authentication results. Therefore, set the port value to 88.

4. Optional: If authentication packets from users to the AD server do not pass through the FW, configure a port to receive mirrored authentication packets.

   no-plug-in interface interface-type interface-number

   The mirroring port must be an independent Layer-2 port and cannot be used for other services. If no Layer-2 port is available, run the portswitch command to switch a Layer-3 interface to a Layer-2 one.

   Management port (MEth 0/0/0 or GigabitEthernet 0/0/0) cannot receive mirroring packets.

   

   If a mirroring interface is specified on the FW, the interface parses only AD authentication packets and discards other packets. When both authentication packets and service packets are mirrored by the switch to the FW deployed in bypass mode, do not perform this step.

5. Enable AD SSO.

   enable

6. Optional: Configure AD SSO information synchronization. For details, see Configuring Online User Information Synchronization.