Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

AD SSO operations

Hi, I’m struggling to find documentation about how Active Directory SSO operates (as opposed to how to set it up). The kind of questions I have are…

  • Is the initial browser authentication transparent, or does the captive portal appear for login?
  • Once the user is added to the firewall, will further browser authentications be transparent, or will the captive portal appear again?
  • Once a user is authenticated via the browser, does this apply to all firewall rules & logging or just browsing?
  • How long does the user remain authenticated against their IP address?
  • What happens when the user logs out?
  • Does it work over RDP?

That will do for starters Blush

Thanks



Added TAGs
[edited by: Erick Jan at 12:55 AM (GMT -7) on 22 Oct 2024]
Parents
  • You don't come across this very often, but I've some experience of it (albeit only once or two and not recently).

    If you set it up correctly, the browser session is authenticated in the background and the user doesn't see anything. A live user just pops up on the XG.

    There's a timeout of (by default) six minutes after which the browser authenticates automatically - there's no user input. I see no reason why when there's an authenticated user on that IP that all traffic (firewall, filtering etc) would not apply - it does normally. If the user logs out then there will be a delay whilst the time out occurs and they drop. When a new user logs in and opens a browser I'm pretty sure the old user gets overwritten straight away. Six minutes is the smallest timeout value.

    If you RDP into something and log in, then yes, I would expect it will work but if there is more than one person on that device you need to setup per connection SSO or things get very messy as users overwrite each other.

    I do recall it can be painful to setup, and any issues are difficult to troubleshoot (all that background stuff is hard to see).

    Regards

  • As far as we can say with the experience of a lot of customer projects: AD SSO with browser authentication is a pain on XGS (a desaster compared to UTM)! We had always support cases and there were always other root causes and issues and never a satisfied solution with support...We wasted hours here! It never works 100% for all users all the time. If you need Authentication with SFOS you have to use STAS, InterceptX-Client or captive portal. There could also be some issues with STAS but you can change some settings there and this works. BUT: For RDP/Terminalservers a session userauth is generally NOT possible!

    regards

  • Hi Steve, thanks for sharing your experiences. Not very encouraging... I've seen a post saying you can work around the STAS RDP issue if you forgo using WMI polling for log-off detection and use Registry Read Access instead. Is this something you're aware of? My other main concern about STAS is the need to maintain the exclusion list. Do you know if it's possible to explicitly include the required users instead?

  • Yes we already changed the polling method - this solves issues if a user do RDP to another internal server...(local auth gets lost) but this did not change anything with userbased RDP session auth for terminal servers...(You will need an extra firewall rule without user auth for terminalservers). We did not have any issues with the exclusion list so far (this may depend on the customer infrastructure) - if you need an exclusion for users (without auth) you should do that with an IP-based extra firewall rule before the main rule...

    regards

  • Great, that sounds hopeful - we just use single user RDP sessions. Is there documentation for the setup needed for registry polling? Everything seems to assume WMI.

Reply Children