Transparent AD authentication

sk8erbender

Hey everyone ! 
Is is possible to make transparent web authentication for active directory users?

As far as I understand at the moment it is possible to make the following:
user switch on the PC , tries to open web page and gets redirected to login page where he enters his DOMAIN\User and password , after that he gets internet access.
Also possible to exclude some by ip address.

Is it correct?

Zyxel_Charlie

@sk8erbender
Regarding this case,
after users do authentication from Windows logon page, they dont need to be authenticated by USG again. 
Can you double check the log message or login user page to confirm user truly login via SSO?(Go to Monitor>System Status>Login Users)


The attached steps of configuration on USG and SSO agent side as your reference.
SSO Agent
Charlie

Zyxel_Charlie

@sk8erbender
It's correct.
Regarding your request,
the device can process web-authentication for active directory users. The attached example as your reference. 
Charlie

sk8erbender

So there is no transparent authentication? user have to enter login and password?

Zyxel_Charlie

@sk8erbender
It seems SSO agent suitable for your scenario.
Clients type username and password on windows login page, and they can have fully internet access.
The introduction of SSO agent as your reference.
SSO Agent
Charlie

sk8erbender

Zyxel_Charlie said:

@sk8erbender
It seems SSO agent suitable for your scenario.
Clients type username and password on windows login page, and they can have fully internet access.
The introduction of SSO agent as your reference.
SSO Agent
Charlie

Hi !

https://support.zyxel.eu/hc/article_attachments/360000744220/mceclip0.png

Accotding this scheme SSO agent is only installed on active directory server  and configured running as admin user ? So no agent on client machines ?

sk8erbender

Well I got configured in usg 310 (tests works fine)

also got fine test in gateway settings

But when I try to use Configure LDAP/AD settings I always get error

---------------------------
SSO Agent - Confirm
---------------------------
Check LDAP/AD server:

Fail to get server data!
---------------------------
OK  
---------------------------

Looked in HELP, forum guide and wiki ,

tried different IP

( localhost , 127.0.0.1, ip address of ad server)

tried different combination bind DN , base DN

Btw bind dn and base dn works fine in usg configuration ( aa server)

sk8erbender

The sso agent in installed on windows server 2012 r2 64x

sk8erbender

(active directory) server

sk8erbender

[2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.GetUserNameFromBindDN() completed.
[2019/02/25 10:33:43 AM] [System] [INFO] Function TestSetting: Test Primary LDAP Server.
[2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.QueryLDAP() invoked.
[2019/02/25 10:33:43 AM] [System] [INFO] UserInformation properties(UserName: usg.user, IP: , Domain: ).
[2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.PingToAddress() invoked.
[2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.PingToAddress() Test: Address: 192.168.0.36 timeout :1 buffer: System.Byte[]options: System.Net.NetworkInformation.PingOptions
[2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.PingToAddress() completed.
[2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.QueryLDAP() IP: 192.168.0.36
[2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.DoGetHostFqdn invoked.
[2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.QueryLDAP() path: LDAP://192.168.0.36:389/DC=mydomain.DC=local
[2019/02/25 10:33:43 AM] [System] [ERROR] System.DirectoryServices.DirectoryServicesCOMException (0x80005000): Unknown error (0x80005000)

sk8erbender

Well! I finnally managed to  set it up. Problem was - wrong password.

The problem now is - users still gets redirected to web portal and still asked about credentials..  Did I miss something? How do I get them automatically connected ? Or I need to install client and configure it on workstation>?

sk8erbender

ZyXEL Next-Gen USG series supports single sign-on so users just need to sign in once to access both the Internet and all the resources and services integrated with Microsoft AD.

The whole process is clientless implementation that users don’t have to install any software on their PC. This enhances user experience by reducing password fatigue and time spent re-entering.

It also relieves system administrators from help desk calls about passwords and eliminates efforts of injecting or replace some Microsoft AD components.Performance FeaturesWindows AD support• Windows 2008, 2008 R2, 2012SSO agent support• Windows 7 Pro, 2008, 2008 R2, 2012SSO agent supports up to 2 USGs, and receives user login info from up to 2 DCsApplication

BenefitsTransparent user authentication when users try to access various services (e.g. HTTP) through the ZyXEL USG seriesA single login is used to provide access to resources based on administrator-configured group memberships and policy matchingMinimal administrator configuration is needed since on the users’ machines nothing needs to be installed

So what am I missing why do they still get web portal page asking for password?