Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

UAC User Role - How to Setup AD

SOLVED
Go to solution
arslan.nawaz_
Contributor
‎02-21-2014 07:47:AM
‎02-21-2014 07:47:AM

UAC User Role - How to Setup AD

Hi

 

I try to configure user role firewall on MAG 2600 with MAGx600-UAC-SRX license. I am using the Windows Server 2008R2 and UAC 4.4. I want to setup SSO using SPENGO protocol. Can someone explain me the steps how to configure Active Directory? I want to know the exact steps I should perform on AD. How to setup "DNS" and "User and Computers" settings and use of "ktpass" command on AD?

 

Regards

Arslan Nawaz

 

 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
arslan.nawaz_
Contributor
‎02-24-2014 04:24:AM
‎02-24-2014 04:24:AM

Re: UAC User Role - How to Setup AD

Dear Kalagesan

 

I already read these details on User Role Firewall documentation. Actually I confuse about AD configuration. I am not much familiar with AD just know the basics. Suppose the hostname of my MAG device is ic2600 with domain xyz..com I create a dns entry ic2600.xyz.com and map the entry with the ip address of my MAG device. The documentation is saying to perform these steps on AD.

 

--------------------------------------------------------------

1. Add a DNS entry as the UAC service account in the Forward Lookup Zones. In this way clients can refer to the MAG Series device by name or by IP address.

This UAC service account name will be used in the next section when reconfiguring the UAC service on the MAG Series device.

 

2. Single sign-on authentication requires that the UAC service account password never expires. To modify user settings:

From the Active Directory Users and Computers application in DNS, select Users>New>User and select the UAC service account created in step 1.

Select the Account tab.

In user settings, click Password Never Expires.

 

3. Create SPNEGO Keytab File: On the Domain Controller, open a command line, and enter the ktpass command to create the SPNEGO keytab file.

--------------------------------------------------------------

 

As I mention I create the DNS entry of my ic2600 device. Can you expain what the SPN actually is and how can I create the SPN user? What is the UAC service account and how it is created?  Can you explain step 2 in more detail?

 

Many Regards

 

Arslan

View solution in original post

0 Kudos
4 REPLIES 4
kalagesan_
Super Contributor
‎02-23-2014 11:46:PM
‎02-23-2014 11:46:PM

Re: UAC User Role - How to Setup AD


Hi Arslan Nawaz,

The below information on AD configuration should help for SPNEGO :

 

On Active Directory, there are two steps that must be performed:
´ Create a dedicated user for the SPN.

Add the SPN to this user using 'ktpass.exe' (this will generate the keytab).

 

NOTE: You must set a password for the user. User must change password on next logon should not be enabled, and Password neverexpires should be enabled.

 

The SPN must be added in this format: HTTP/[email protected] The SPN iscase sensitive. Note the order of uppercase, lowercase and upper case.

 

´ For Active Directory 2008, the commands 'ktpass' and 'setspn' are already installed. For Active Directory 2003, an add-on pack is required. Before adding the SPN, it's a good idea to make sure it doesn't already exist. This will help avoid ticket decryption issues on Junos Pulse Access Control Service. On the endpoint, the MAG Series device must be added as a trusted host(with Internet Explorer or Firefox). This can also be done with an Active Directory group policy. Without this, the browser will not participate in SPNEGO.

 

On the MAG Series device, you must upload the keytab file and verify thatthediode turns green (indicating a successful join).SPNEGOdoes not workunless the diode is green.

 

Sample Active Directory Commands


To search for a particular SPN:
C:\>setspn -Q HTTP/dev94.abc-domain.lab.test.com
To search for all the SPNs of user 'spnuser':
C:\>setspn -Lspnuser
To delete this SPN of user 'spnuser':
C:\>setspn -d HTTP/dev94.abc-domain.lab.test.com spnuser
In this example, the MAG Series device FQDN is: xyz.abc-domain.lab.test.com and the
AD realm is: ABC-DOMAIN.LAB.JUNIPER.NET. This adds an SPN to the user:


Additional Information

 

The 'kerbtray.exe' program is helpful for viewing and deleting Kerberos tickets on the endpoint.Old ticketsmust be purgedfromthe endpoint ifSPNs are updatedor passwords
are changed (assuming the endpoint still has a cached copy of the ticket from a prior SPNEGOrequest to the MAG Series device. During testing,you should purge tickets before
each authentication request.

 

A similar program to 'kerbtray.exe' is klist.exe. This is a command line program to view and purge tickets. This can be downloaded from Microsoft's site.
When troubleshooting, Juniper Network recommends that you restart the browser between auth requests to avoid cache issues.

 

If Internet Explorer pops-up a Windows dialog box during authentication, this signifies that the ICisn't trusted for SPNEGO. You should add the MAG Series device FQDN underOptions -> Security -> Local Intranet -> Sites ->Advanced.

In Firefox, you can install the 'Live HTTP Headers' plug-in to monitor HTTP traffic. You should verify that the ticket is being sent as base64 data. To add the MAG Series device as a trusted host in Firefox, load URL about:config in the address window and set:network.negotiate-auth.trusted-uris.


Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!

 

Regards,
Kannan

0 Kudos
arslan.nawaz_
Contributor
‎02-24-2014 04:24:AM
‎02-24-2014 04:24:AM

Re: UAC User Role - How to Setup AD

Dear Kalagesan

 

I already read these details on User Role Firewall documentation. Actually I confuse about AD configuration. I am not much familiar with AD just know the basics. Suppose the hostname of my MAG device is ic2600 with domain xyz..com I create a dns entry ic2600.xyz.com and map the entry with the ip address of my MAG device. The documentation is saying to perform these steps on AD.

 

--------------------------------------------------------------

1. Add a DNS entry as the UAC service account in the Forward Lookup Zones. In this way clients can refer to the MAG Series device by name or by IP address.

This UAC service account name will be used in the next section when reconfiguring the UAC service on the MAG Series device.

 

2. Single sign-on authentication requires that the UAC service account password never expires. To modify user settings:

From the Active Directory Users and Computers application in DNS, select Users>New>User and select the UAC service account created in step 1.

Select the Account tab.

In user settings, click Password Never Expires.

 

3. Create SPNEGO Keytab File: On the Domain Controller, open a command line, and enter the ktpass command to create the SPNEGO keytab file.

--------------------------------------------------------------

 

As I mention I create the DNS entry of my ic2600 device. Can you expain what the SPN actually is and how can I create the SPN user? What is the UAC service account and how it is created?  Can you explain step 2 in more detail?

 

Many Regards

 

Arslan

0 Kudos
arslan.nawaz_
Contributor
‎02-25-2014 07:19:AM
‎02-25-2014 07:19:AM

Re: UAC User Role - How to Setup AD

Thanks Kalagesan problem is solved... I succesfully done SSO using SPNEGO user role firewall. Smiley Happy

 

0 Kudos
kalagesan_
Super Contributor
‎02-26-2014 02:30:AM
‎02-26-2014 02:30:AM

Re: UAC User Role - How to Setup AD

I am glad Arslan that your issue is reolsved

Regards,

Kannan

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.