You are here: Cookbook > Authentication > Using AD Polling for SSO

Using AD Polling for SSO

This example introduces how the domain users access the Internet directly without Web authentication, after logging in the AD domain via configuring AD Polling.

The following shows a network environment. An enterprise sets up a Hillstone security device as the export gateway to connect internal network with the Internet. Only the staffs in R&D department join in the AD domain (scep.pki.com), while the staffs in marketing department are excluded. The security device enables Web authentication. All the staffs of the enterprise are allowed to access the Internet only after they pass the authentication. After the AD Polling being configured, there will be login logs when staff in R&D department login though the AD server (Log in the PC which is added into the AD domain through domain user name and password). The device can check the logs through AD Polling, as well as obtain authentication users information on the AD server. With this information, staff of R&D department can access the Internet directly without Web authentication.

*This example is premised on the following conditions:

  • The AD server has been set up according to the user network environment.
  • To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should open the RPC service and remote management. To enable the RPC service, you need to enter the Control Panel > Administrative Tools > Services and open the Remote Procedure Call and Remote Procedure Call Locator; to enable the remote management, you need to run the command prompt window (cmd) as administrator and enter the command netsh firewall set service RemoteAdmin.

  • To enable WMI to probe the PC where the AD server is located and the terminal PCs, the PC should permit WMI function to pass through Windows firewall. Select Control Panel >System and Security> Windows Firewall >Allow an APP through Windows Firewall, in the Allowed apps and features list, click the corresponding check box of Domain for Windows Management Instrumentation (WMI) function.

  • The security device should be configured with related policy to protect the AD server, which may result in the port used by WMI service (port 135 and random port) being restricted by policy. Therefore, it’s necessary to configure another policy ( the source IP is the IP address of ethernet0/3) allows all interface traffic to pass through.

  • The rule has been configured on the security device that all the staff of the enterprise should pass the Web authentication before they access the Internet. For the detailed configuration method, please see Allowing the Internet Access via User Authentication.

Step 1: Creating a new domain user on the AD server and configuring the user as the Domain Admins group.  

Access the PC with AD server, select Start > Administrative Tools > Active Directory Users and Computers, and enter the Active Directory Users and Computers page.

 

Right-click Users and select New Object > User. Click Next.

  • First name: test

  • User logon name: test@scep.pki.com

Configure a password on the New Object- User page, and click Next.

  • Password: Hillstone123456

  • Confirm password: Hillstone123456

  • Password never expires: Select the check box

     

 

Click Finish to finish the creating of domain user test.

In the user list, right-click test, and select Add to group. Click OK.

  • Enter the object names to select: Domain Admins

Step 2: Adding PCs of R&D staff into the AD domain (taking one PC as example).  

Select Control Panel > Network and Internet > Network and Sharing Center to check the attribute of network connection. Double-click Internet Protocol Version 4 (TCP/IPv4), enter the Internet Protocol Version 4 (TCP/IPv4) Properties page and change the IP address of Preferred DNS server to the IP address of AD domain controller.

  • Preferred DNS server: 10.180.201.8

  • Alternate DNS server: 8.8.8.8

     

Search cmd in the Start menu and double-click to open the command prompt(cmd) application window, so as to make sure that the PC can be connected to the AD domain controller(scep.pki.com).

Select Control Panel > System and Security > System > Computer name, domain, and workgroup settings > Change settings, and add the PC into the AD domain (scep.pki.com). Click OK.

  • Domain: scep.pki.com

In the Windows security dialog box, enter Domain name\User name and Password. The user name should be the one in the Domain Admins group.

  • Domain name\User name: scep\test

  • Password: Hillstone123456

     

 

 

 

 

After the PC being added in the AD domain (scep.pki.com) successfully, restart the computer to make it take effect.

 
Step 3: Configuring AD server parameters in StoneOS.

Select Object > AAA server, and select Active Directory Server from the newly created drop-down list.

  • Server Name: ad-polling
  • Server Address: 10.180.201.8
  • Base-dn: dc=scep,dc=pki,dc=com
  • Login-dn: cn=test,cn=users,dc=scep,dc=pki,dc=com
  • sAMAccountName: test
  • Authentication Mode: MD5
  • Password: Hillstone123456

Click OK and the AD server is created successfully.

 
Step 4: Configuring AD Polling in StoneOS

Select Object > SSO Client > AD Polling, click Create and enter AD Polling Configuration page.

  • Name: ad-polling
  • Status: click Enable
  • Host: 10.180.201.8
  • Virtual Router: trust-vr
  • Account: scep\test
  • Password: Hillstone123456
  • AAA Server: select the AD server ad-polling created in step 3
  • AD Polling Interval: 2 seconds
  • Client Probing Interval: 5 minutes
  • Force Timeout: 10 minutes

Click OK to finish AD Polling configuration.

 

Step 5: Verifying result  

After all the above configurations being finished, staff of R&D department (such as the user test added in AD domain in this example) can access the Internet without passing Web authentication. However, the staff of marketing department still needs to pass Web authentication before visiting the Internet.

 

If user needs to check the mapping information between user and IP on the device via AD Polling, you're suggested to log in the StoneOS commands operation system and enter the command show user-mapping user-sso ad-polling or show auth-user.

As shown in the figure, in the authentication user list obtained via AD Polling, the corresponding IP of the user test is 10.180.203.74.