SSO with Windows Server 2008, 2008 R2 and Windows SBS 2008, 2011

This manual will explain how SSO (Single Sign-On) is achieved and setup between the gateprotect and a Windows Server 2008, 2008 R2 or Windows SBS 2008, 2011 domain controller.

Add a Microsoft Active Directory Server as an Authentication server:

In the gateprotect client open: Options > User Authentication > Settings

General settings:

To activate, tick the boxes: “Activate user authentication” and “Log Logins”

“Log logins” need to be selected for troubleshooting purposes. These logs can be viewed under Reports > Latest Report.

Login Modes:

Authentication Server:

By default “Only own user management” is selected. For SSO “Microsoft Active Directory Server” must be selected. Server Address: IP address of the domain controller.Server Port: 389 (leave as default).Username & Password: Administrator credentials.Domain Name: Lowercase, Fully Qualified Domain Name (test.local will be used for this setup)

Click “Test the AD settings”. If successful you will get the pop-up window below.

Single Sign-On Settings:

Under Options > User Authentication > Advanced, the settings for Single Sign-On need to be completed. “Activate the Kerberos service” should not be selected yet as the Kerberos key file needs to generated first on the domain controller.

Host name of the firewall: Lowercase (gateprotect will be used for this setup)Domain: Uppercase, Fully Qualified Domain Name (TEST.LOCAL will be used for this setup)

Landing Page:

When “Show landing page” is selected, a gateprotect login webpage will display for all users that are not authenticated.

Click Ok to accept settings.

It is recommended to restart the gateprotect at this stage after applying these settings. Also remember that time difference between the gateprotect and the domain controller is critical to this setup and should not be out by more than 5 minutes.

Active Directory Preparation:

The user gpLogin must be created for this setup. Only the user, “gpLogin” (case sensitive) will be accepted for the Single Sign-On service to work on the gateprotect.

- Open Command Prompt

Create the gpLogin user on your domain controller by executing the following command:

net user gpLogin * /ADD /fullname:"gpLogin"

You will be prompted to insert a password twice. This password needs to conform to your password strength/security level set on the domain controller.

Open “Active Directory Users and Computers” on the domain controller and navigate to the user “gpLogin” which you just created under “Users”. On Windows SBS 2008, 2011, “gpLogin” will be created under “SBSUsers”.

Right click on the user and select “Properties”. In the “Account” tab under “Account Options” check the following boxes:

- Password does never expire - User cannot change password - Use Kerberos DES encryption types for this account- This account supports Kerberos AES 128 bit encryption- This account supports Kerberos AES 256 bit encryption

Click “Apply” and “OK” to accept and close.

Generating the Kerberos Key File:

You will need to create the Kerberos key file on the domain controller. The command ktpass.exe will be used to generate a Kerberos key file.

- Open command prompt

To generate the Kerberos key file, execute the following command:

ktpass -out c:\ktpass.fw -princ gpLogin/firewallname@DOMAIN_NAME -pass Password123 -mapop set +desonly -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -mapuser gpLogin

Parameters to note: (case sensitive)

-out c:\ktpass.fw: the directory and filename of the Kerberos key file.

firewall name: Lowercase (gateprotect will be used for this setup).

DOMAIN_NAME: Uppercase, Fully Qualified Domain Name (TEST.LOCAL will be used for this setup).

-pass Password123: Password created for the user, gpLogin.

Example: ktpass -out c:\ktpass.fw -princ gpLogin/gateprotect@TEST.LOCAL –pass password123 -mapop set +desonly -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL -mapuser gpLogin

Activate the Kerberos Service & Import the Kerberos Key File on gateprotect:

Once the Kerberos key file has been generated successfully on the domain controller, the Kerberos service can be activated on the gateprotect under: Options > User authentication > Advance, select the tick box “Activate the Kerberos Service”

When the Kerberos service is enabled on the gateprotect the “Import the Kerberos key” section will become available. Navigate to you created ktpass.fw Kerberos key file.

Settings will appear on the window as follow:

After the Kerberos key file is successfully imported, the gateprotect must be rebooted.

Group Policy Object settings for Kerberos.

By Default encryption types for Kerberos are not defined within the Group Policy Object of a domain. This setting can be configured either on the domain controller or on the client machine itself.

It is recommended to change the following setting on the domain controller, and restart the server after the Group Policy Object is applied.

- Open the Group Policy Object Management editor. You have the option to create a new “Group Policy Object” or edit your “Default domain policy”

Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

Under “Security Options” you will find the policy “Network Security: Configure encryption types allowed for Kerberos”. Open properties for this policy, Select “Define these policy settings” and select all options.

Click Ok and close the “Group Policy Management Editor”

For the settings to apply across the domain it is recommended to restart both the domain controller and client machines after these settings are applied.

Single Sign-On Client:

You will need to download the Single Sign-On client from the gateprotect website:

https://www.gateprotect.com/download.php?url=3&file=UAClientSSO_2_0.zip

Unzip the folder UAClientSSO.zip. The folder contains three files, UAClientSSO.exe will be used.

You can test if Single Sign-On is setup correctly by opening a command prompt and executing the UAClientSSO.exe on a Windows computer which is added to the domain.

- Open command prompt

Navigate to the directory where the UAClientSSO.exe is unzipped and execute the following command:

UACleintSSO.exe <firewallname> <firewall_IP>

Example: UAClientSSO.exe gateprotect 192.168.1.254

If successful, you will see a green icon, which appears in the system tray.

If the icon is opened you should see the window below:

Logon Script for UAClientSSO.exe:

Once the SSO client connects successfully, you would need to automate the Single Sign-On login process. This can be achieved by creating a batch logon script, on the domain controller.

On the domain controller navigate to c:\Windows\SYSVOL\sysvol\YOUR.DOMAIN\scripts

Example: c\Windows\SYSVOL\sysvol\TEST.LOCAL\scripts

Copy and paste the downloaded UAClientSSO.exe file into this directory.

Create a .bat file, called logon.bat, for example. Edit the .bat file and input the following using notepad:

@echo off

start \\ip_address_of_AD\netlogon\UAClientSSO.exe hostname_of_firewall ip_address_of_firewall

Save and Close notepad.

Set Logon Script for Start-up:

- Open the Group Policy Object Management editor. You have the option to create a new “Group Policy Object” or edit your “Default domain policy”

Navigate to: User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff)

Right click on “Logon” and select “Properties”. Select “Add” then type the patch to your .bat script that was created.

Example:\\192.168.3.1\netlogon\logon.bat

For the settings to apply across the domain it is recommended to restart both the domain controller and client machines after these settings are applied. The SSO client should now be executed automatically upon start-up/login.

gateprotect desktop:

It will now be possible to add User objects on the gateprotect desktop according to users within the active directory.

Make sure you created rules on the dashboard to allow this user access to certain services for testing purposes as per below:

Tips & Hints:

Time:Time difference is extremely important and should not be out by more than 3-5minutes.

UAC:In some cases User Account Control (AUC) might interfere with executing the UAClientSSO.exe as it is located on a network resource.

UAC can be individually disabled on each client machine, or be disabled with a Group Policy Object.

- Open the Group Policy Object Management editor. You have the option to create a new “Group Policy Object” or edit your “Default domain policy”

Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

Locate and change the following policies:

“User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode” and modify to “Elevate without prompt”

“User Account Control: Detect application installations and prompt for elevation” and modify it to “Disabled”

“User Account Control: Run all administrators in Admin Approval Mode” and modify it to “Disabled”

“User Account Control: Only elevate UIAccess applications that are installed in secure locations” and modify it to “Disabled”

For the settings to apply across the domain it is recommended to restart both the domain controller and client machines after these settings are applied.

Case Sensitive:

There are some settings and commands in this manual that are case sensitive. It is extremely important to get the Kerberos key file generation correct.

If the Kerberos key file is generated incorrectly or the manual is not followed in order, please ask support for the documentation on resetting this setup procedure

“gateprotect - Remove gpLogin, Kerberos Ticket & Key File”

This manual will need to be followed to restore a blank configuration.