Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

AD SSO operations

Hi, I’m struggling to find documentation about how Active Directory SSO operates (as opposed to how to set it up). The kind of questions I have are…

  • Is the initial browser authentication transparent, or does the captive portal appear for login?
  • Once the user is added to the firewall, will further browser authentications be transparent, or will the captive portal appear again?
  • Once a user is authenticated via the browser, does this apply to all firewall rules & logging or just browsing?
  • How long does the user remain authenticated against their IP address?
  • What happens when the user logs out?
  • Does it work over RDP?

That will do for starters Blush

Thanks



Added TAGs
[edited by: Erick Jan at 12:55 AM (GMT -7) on 22 Oct 2024]
Parents
  • You don't come across this very often, but I've some experience of it (albeit only once or two and not recently).

    If you set it up correctly, the browser session is authenticated in the background and the user doesn't see anything. A live user just pops up on the XG.

    There's a timeout of (by default) six minutes after which the browser authenticates automatically - there's no user input. I see no reason why when there's an authenticated user on that IP that all traffic (firewall, filtering etc) would not apply - it does normally. If the user logs out then there will be a delay whilst the time out occurs and they drop. When a new user logs in and opens a browser I'm pretty sure the old user gets overwritten straight away. Six minutes is the smallest timeout value.

    If you RDP into something and log in, then yes, I would expect it will work but if there is more than one person on that device you need to setup per connection SSO or things get very messy as users overwrite each other.

    I do recall it can be painful to setup, and any issues are difficult to troubleshoot (all that background stuff is hard to see).

    Regards

  • Hi carbon15, thanks for the very helpful info. I'm slightly concerned that you say it's not used much and can be painful. Transparent browser authentication seems to work faultlessly on our UTM.

  • 99% of our installations use STAS, the only time I've used Kerbs SSO is in conjunction with Mac devices in recent years - I guess other peoples milage may vary.

    In olden days of the UTM it was all NTLM which tended to work ok, but if you have an issue there's a lot hidden in the background (PC direct to AD etc) which is painful to troubleshoot. Plus it's only when the user fires up their browser they are authenticated - with STAS it's the whole device as soon as they log in, which we find more preferrable.

    Regards

  • I was avoiding STAS as there seems too many opportunities for it to stop working one morning e.g. forgetting to add exceptions for new services or MS patches throwing a spanner in the works on the DCs. Also we use a lot of RDP which isn't supported.

Reply Children
No Data