You are here: Webhelp 5.5R7 > Authentication > Single Sign-On

Single Sign-On

When the user authenticates successfully for one time, system will obtain the user's authentication information. Then the user can access the Internet without authentication later.

SSO can be realized through three methods, which are independent from each other, and they all can achieve the "no-sign-on"(don't need to enter a user name and password) authentication.

Method Installing Software or Script Description
SSO Radius --- After enabling SSO Radius function, system can receive the accounting packets that based on Radius standard protocol. System will obtain user authentication information, update online user information and manage user's login and logout according to the packets.
AD Scripting Logonscript.exe This method needs to install the script "Logonscript.exe" on the AD server. The triggered script can also send user information to StoneOS. This method is recommended if you have a higher accuracy requirement for statistical monitoring and don't mind to change the AD server.
AD Polling --- After enabling the AD Polling function, system will regularly query the AD server to obtain the login user information and probe the terminal PC to verify whether the users are still online, thus getting correct authentication user information to achieve SSO. This method is recommended if you don't want to change the AD server.
SSO Monitor --- After enabling SSO Monitor, StoneOS will build connection with the third-party authentication server through SSO-Monitor protocol, as well as obtain user online status and information of the group that user belongs to. System will also update the mapping information between user name and IP in real time for online user.
AD Agent AD Security Agent This method needs to install AD Security Agent software on the AD server or other PCs in the domain. The software can send user information to StoneOS. This method is recommended if you don't want to change the AD server.

Enabling SSO Radius for SSO

After enabling SSO Radius function, system can receive the accounting packets that based on Radius standard protocol. System will obtain user authentication information, update online user information and manage user’s login and logout according to the packets.

To configure the SSO Radius function, take the following steps:

  1. Click Object >SSO Server >SSO Radius and enter SSO Radius page. By default, SSO Radius is disabled.

  2. Click the Enable check box to enable the SSO Radius function.
  3. Specify the Port to receive Radius packets for StoneOS (Don’t configure port in non-root VSYS). The range is 1024 to 65535. The default port number is 1813.
  4. Specify the AAA Server that user belongs to. You can select the configured Local, AD or LDAP server. After selecting the AAA server, system can query the corresponding user group and role information of the online user on the referenced AAA server, so as to realize the policy control based on the user group and role.

  5. Specify the IP Address, Shared Secret and Idle Interval of SSO Radius client which is allowed to access system. You can configure up to 8 clients.

    • IP Address: Specify the IPv4 address of SSO Radius client. If the IPv4 address is 0.0.0.0, it means that system receives the packets sent from any Radius client.
    • Shared Key: Specify the shared secret key of SSO Radius client. The range is 1 to 31 characters. System will verify the packet by the shared secret key, and parse the packet after verifying successfully. If system fails to verify the packet, the packet will be dropped. The packet can be verified successfully only when SSO Radius client is configured the same shared secret key with system or both of them aren't configured a shared secret key.
    • User Timeout(minute): Configure the idle interval for the authentication information of Radius packet in the device. If there’s no update or delete packet of the user during the idle interval, the device will delete the user authentication information. The range is 0 to 1440 minutes. The default value is 30. 0 means the user authentication information will never timeout.
  6. Click Apply button to save all the configurations.

Using AD Scripting for SSO

Before using a script for SSO, make sure you have established your Active Directory server first. To use a script for SSO, take the following steps:

Step 1: Configuring the Script for AD Server

  1. Open the AD Security Agent software(for detailed information of the software, see Using AD Agent Software for SSO). On the <AD Scripting> tab, click Get AD Scripting to get the script "Logonscript.exe" , and save it in a directory where all domain users can access.
  2. In the AD server, enter Start menu, and select Mangement Tools > Active Directory User and Computer.
  3. In the pop-up <Active Directory User and Computer> dialog box, right-click the domain which will apply SSO to select Properties, and then click <Group Policy> tab.

  4. In the Group Policy list, double-click the group policy which will apply SSO. In the pop-up <Group Policy Object Editor>dialog box, select User Configuration > Windows Settings> Script (Logon/Logout).
  5. Double-click Logon on the right window, and click Add in the pop-up <logon properties> dialog box.
  6. In the <Add a Script> dialog box, click Browse to select the logon script (logonscript.exe) for the Script Name; enter the authentication IP address of StoneOS and the text "logon" for the Script Parameters(the two parameters are separated by space). Then, click OK.
  7. Take the steps of 5-6 to configure the script for logging out, and enter the text "logoff" in the step 6.
The directory of saving the script should be accessible to all domain users, otherwise, when a user who does not have privilege will not trigger the script when logs in or out.

Step 2: Configuring AD Scripting for StoneOS

After the AD Scripting is enabled, the user can log in Hillstone device simultaneously when logging in the AD server successfully. System only supports AD Scripting of Active Directory server.

To configure the AD Scripting function, take the following steps:

  1. Click Object> SSO Server > AD Scripting to enter the AD Scripting page. The AD Scripting function is disabled by default.


  2. Select the Enable check box of AD Scripting to enable the function.
  3. Specify the AAA Server that user belongs to. You can select the configured Local, AD or LDAP server. After selecting the AAA server, system can query the corresponding user group and role information of the online user on the referenced AAA server, so as to realize the policy control based on the user group and role.

  4. Specify the Idle Interval, which specifies the longest time that the authentication user can keep online without any traffic. After the interval timeout, StoneOS will delete the user authentication information. The value range is 0 to 1440 minutes. 0 means always online.
  5.  Allow or disable users with the same name to log in depends on needs.
    • Enable: Click to permit the user with the same name to log in from multiple terminals simultaneously.
    • Refuse New Login: Click to permit only one user with the same name to log in, and the user logged in will be kicked out by the user logging in.
  6. Click Apply to save the changes.

After completing the above two steps, the script can send the user information to StoneOS in real time. When users log in or out, the script will be triggered and send the user behavior to StoneOS.

  Using AD Polling for SSO

When the domain user logs in the AD server, the AD server will generate login logs. After enabling the AD Polling function, system will regularly query the AD server to obtain the user login information and probe the terminal PCs to verify whether the users are still online, thus getting correct authentication user information to achieve SSO.

Before using AD Polling for SSO, you should make sure that the Active Directory server is set up first. To use AD Polling for SSO, take the following steps:

  1. Click Object >SSO Client >AD Polling to enter the AD Polling page.
  2. Click the button on the upper left corner of the page, and the AD Polling Configuration dialog box pops up.

  3. Click OK button to finish the configuration of AD Polling.

  • When system is restarted or the configuration of AD Polling (except the account, password and force timeout) is modified, system will clear the existed user information and obtain the user information according to the new configuration.
  • To realize the AD Polling function, you need to enable the WMI of the PC where the AD server is located and the terminal PC. By default, the WMI is enabled. To enable WMI, you need to enter the Control Panel >Administrative Tools> Services and enable the WMI performance adapter.

  • To enable WMI to probe the PC where the AD server is located and the terminal PCs, the RPC service and remote management should be enabled. By default, the RPC service and remote management is enabled. To enable the RPC service, you need to enter the Control Panel >Administrative Tools> Services and open the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin.

  • To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass through Windows firewall. Select Control Panel >System and Security> Windows Firewall >Allow an APP through Windows Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instrumentation (WMI) function.

  • To use the offline function, you should make sure that the time of the PC where the AD server is located and the terminal PCs is the same. To enable the function of Synchronize with an Internet time server, select Control Panel > Clock, Language, and Region > Date and Time, and the Date and Time dialog box pops up. Then, click Internet Time tab, and check Synchronize with an Internet time server.

Using SSO Monitor for SSO

When user logs in through the third-party authentication server, the authentication status will be saved on the server. StoneOS will build connection with the third-party authentication server through SSO-Monitor protocol, as well as obtain user online status and information of group that user belongs to.

To use SSO Monitor for SSO, take the following steps:

  1. Click Object >SSO Client > SSO Monitor to enter SSO Monitor page.

  2. Click the button and the SSO Monitor Configuration dialog box pops up.

  3. Click OK button to finish SSO Monitor configuration.

You can configure different numbers of SSO Monitor on different servers. When the configured number exceeds the limit, system will pops up the alarm information.

Using AD Agent Software for SSO

Before using AD Security Agent for SSO, make sure you have established your Active Directory server first. To use AD Security Agent for SSO, take the following steps:

Step 1: Installing and Running AD Security Agent on a PC or Server

AD Security Agent can be installed on an AD server or a PC in the domain. If you install the software on an AD server, the communication only includes "AD Security Agent →StoneOS"; If you install the software on a PC in the domain, the communication includes both process in the following table. The default protocol and port used in the communication are described as follows:

Communication direction AD Security Agent→AD Server AD Security Agent→StoneOS
Protocol TCP TCP
Port StoneOS --- 6666
AD Security Agent 1935、1984 6666
AD Server 445 ---

To install the AD Security Agent to an AD server or a PC in the domain, take the following steps:

  1. Click http://swupdate.hillstonenet.com:1337/sslvpn/download?os=windows-adagent to download an AD Security Agent software, and copy it to a PC or a server in the domain.
  2. Double-click ADAgentSetup.exeto open it and follow the installation wizard to install it.
  3. Start AD Security Agent through one of the two following methods:
    • Double-click the AD Agent Configuration Tool shortcut on the desktop.
    • Click Start menu, and select All app > Hillstone AD Agent >AD Agent Configuration Tool.
  4. Click the <General> tab.

  5. On the <Discovered Server> tab, click Auto Discover to start automatic scanning the AD servers in the domain. Besides, you can click Add to input IP address of server to add it manually.
    When querying event logs in multiple AD servers, the query order is from top to bottom in the list.
  6. On the <Filtered User> tab, type the user name need to be filtered into the Filtered user text box. Click Add, and the user will be displayed in the Filtered User list. You can configure 100 filtered users, which are not case sensitive.
  7. Click the <Discovered User> tab to view the corresponding relationship between the user name and user address that has been detected.
    Tip: The user added into the Filtered User list will not be displayed in the Discovered User list.
  8. On the <AD Scripting> tab, click Get AD Scripting to get the script "Logonscript.exe". (For introduction and installation of this script, refer to Using AD Scripting for SSO).
  9. Click Commit to submit all settings and start AD Security Agent service in the mean time.
After you have committed, AD Agent service will be running in the background all the time. If you want to modify settings, you can edit in the AD Agent Configuration Tool and click Commit. The new settings can take effect immediately.

Step 2: Configuring AD server for StoneOS

To ensure that the AD Security Agent can communicate with StoneOS, take the following steps to configure the AD server:

  1. Click Object >AAA Server to enter the AAA server page.
  2. Choose one of the following two methods to enter the Active Directory server configuration page:

    • Click the button on the upper left corner of the page, and choose Active Directory Server in the drop-down list.
    • Choose the configured AD server and click the button on the upper left corner of the page.


  3. For basic configuration of AD server, see Configuraing Active Directory Server.
    The following configurations should be matched with the AD Security Agent:
    • Server Address: Specify the IP address or domain name of AD server. It should be the same with the IP address of the device installed AD Security Agent.
    • Security Agent: Check the checkbox to enable SSO function, and the server can send the user online information to StoneOS.
      • Agent Port: Specify the monitoring port. StoneOS communicates with the AD Security Agent through this port. The range is 1025 to 65535. The default value is 6666. This port should be the same with the configured port of AD Security Agent, or system will fail to communicate with the AD Agent.
      • Reconnection Timeout: Specifies the timeout time of deleting user binding information. The range is 0 to 1800 seconds. The default value is 300 seconds. 0 means never timeout.
  4. Click OK to finish the related configuration of AD server.

After completing the above two steps, when domain user logs in the AD server, the AD Security Agent will send the user name, address and online time to the StoneOS.