authenticated with the KDC to open his Windows session, for example, it is still necessary to re-
authenticate with this server even if connection information is the same, in order to pass through
the Firewall.
After having selected your authentication method from the left column, you may enter information
about it in the right column, which sets out the following elements:
Domain name (FQDN) Domain name assigned to the Active Directory server for the Kerberos authentication
method. Defining this domain name allows masking the server’s IP address and
simplifying the search for it.
Example: www.company.com: company.com represents the domain name, which is
more legible than its corresponding IP address: 91.212.116.100.
Access to the server
Server IP address of the server for the Kerberos authentication method (Active Directory for
example)
Port Port used by the server. By default, the port 88 / UDP named Kerberos_udp is selected.
Backup server
Server Backup IP address of the Active Directory server for the Kerberos authentication
method
Port Port used by the backup server if the main server is no longer available. By default,
the port 88 / UDP named Kerberos_udp is selected.
Transparent authentication (SPNEGO)
The SPNEGO method enables Single Sign On to function in web authentication with an external
Kerberos authentication server. This means that a user who connects to his domain via a
Kerberos-based solution would be automatically authenticated on a Stormshield Network Firewall
when he accesses the internet (requiring authentication in the filter policy on the Firewall) with a
web browser (Internet Explorer, Firefox, Mozilla).
In order to implement this method, you must first execute the KEYTAB generation script
spnego.bat on the domain controller. This script is available in your secure area , in the
Knowledge Base (article "Where can I find the last version of the ''spnego.bat'' script?").
REMARK
The parameters requested when the script is executed are case-sensitive and must be
strictly followed as they cannot be modified later. In the event of an error, a backup of the
domain controller has to be restored in order to continue with the installation.
For firewalls that have not been configured in high availability, it is advisable to indicate the serial
number of the firewall instead of its name to identify it (this name corresponds to the name
indicated in the Stormshield Network script that comes with the installation hardware). The
Service name will be the serial number preceded by “HTTP/”. Example: HTTP/U70XXAZ0000000
For firewalls in high availability, since the identifier has to be the same for both appliances, you
are advised to use the name of the authentication portal’s certificate (CN) entered in the Captive
portal tab in the Authentication module.
SPNEGO can be configured on the firewall with the options explained in the table below:
Service name This field represents the name of the Kerberos service used by the firewall, obtained
after the spnego.bat script has been executed.
Domain name Kerberos server’s domain name. This domain name corresponds to the full name of
the Active Directory domain. It has to be entered in uppercase.
Page 49/448 sns-en-user_configuration_manual-v3 - Copyright © Stormshield 2016
SNS - USER CONFIGURATION MANUAL V.3
AUTHENTICATION
To Next Page
Loading...
