Transparent AD authentication

sk8erbender
sk8erbender Posts: 74  Ally Member
First Comment Friend Collector Second Anniversary
edited April 2021 in Security
Hey everyone ! 
Is is possible to make transparent web authentication for active directory users?

As far as I understand at the moment it is possible to make the following:
user switch on the PC , tries to open web page and gets redirected to login page where he enters his DOMAIN\User and password , after that he gets internet access.
Also possible to exclude some by ip address.

Is it correct?

Accepted Solution

«1

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    edited February 2019
    @sk8erbender
    It's correct.
    Regarding your request,
    the device can process web-authentication for active directory users. The attached example as your reference. 
    Charlie
  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    So there is no transparent authentication? user have to enter login and password?
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    @sk8erbender
    It seems SSO agent suitable for your scenario.
    Clients type username and password on windows login page, and they can have fully internet access.
    The introduction of SSO agent as your reference.
    SSO Agent
    Charlie
  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    @sk8erbender
    It seems SSO agent suitable for your scenario.
    Clients type username and password on windows login page, and they can have fully internet access.
    The introduction of SSO agent as your reference.
    SSO Agent
    Charlie
    Hi !
    Accotding this scheme SSO agent is only installed on active directory server  and configured running as admin user ? So no agent on client machines ?

  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    Well I got configured in usg 310 (tests works fine)
    also got fine test in gateway settings

    But when I try to use Configure LDAP/AD settings I always get error

    ---------------------------
    SSO Agent - Confirm
    ---------------------------
    Check LDAP/AD server:

    Fail to get server data!
    ---------------------------
    OK  
    ---------------------------
    Looked in HELP, forum guide and wiki ,
    tried different IP
    ( localhost , 127.0.0.1, ip address of ad server)
    tried different combination bind DN , base DN

    Btw bind dn and base dn works fine in usg configuration ( aa server)


  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    The sso agent in installed on windows server 2012 r2 64x
  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    (active directory) server
  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    [2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.GetUserNameFromBindDN() completed.
    [2019/02/25 10:33:43 AM] [System] [INFO] Function TestSetting: Test Primary LDAP Server.
    [2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.QueryLDAP() invoked.
    [2019/02/25 10:33:43 AM] [System] [INFO] UserInformation properties(UserName: usg.user, IP: , Domain: ).
    [2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.PingToAddress() invoked.
    [2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.PingToAddress() Test: Address: 192.168.0.36 timeout :1 buffer: System.Byte[]options: System.Net.NetworkInformation.PingOptions
    [2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.PingToAddress() completed.
    [2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.QueryLDAP() IP: 192.168.0.36
    [2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.DoGetHostFqdn invoked.
    [2019/02/25 10:33:43 AM] [System] [DEBUG] FunctionUtil.QueryLDAP() path: LDAP://192.168.0.36:389/DC=mydomain.DC=local
    [2019/02/25 10:33:43 AM] [System] [ERROR] System.DirectoryServices.DirectoryServicesCOMException (0x80005000): Unknown error (0x80005000)

  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    Well! I finnally managed to  set it up. Problem was - wrong password.

    The problem now is - users still gets redirected to web portal and still asked about credentials..  Did I miss something? How do I get them automatically connected ? Or I need to install client and configure it on workstation>?
  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    ZyXEL Next-Gen USG series supports single sign-on so users just need to sign in once to access both the Internet and all the resources and services integrated with Microsoft AD.

    The whole process is clientless implementation that users don’t have to install any software on their PC. This enhances user experience by reducing password fatigue and time spent re-entering.

    It also relieves system administrators from help desk calls about passwords and eliminates efforts of injecting or replace some Microsoft AD components.Performance FeaturesWindows AD support• Windows 2008, 2008 R2, 2012SSO agent support• Windows 7 Pro, 2008, 2008 R2, 2012SSO agent supports up to 2 USGs, and receives user login info from up to 2 DCsApplication

    BenefitsTransparent user authentication when users try to access various services (e.g. HTTP) through the ZyXEL USG seriesA single login is used to provide access to resources based on administrator-configured group memberships and policy matchingMinimal administrator configuration is needed since on the users’ machines nothing needs to be installed

    So what am I missing why do they still get web portal page asking for password?

Security Highlight