Has anyone implmented this? If so any comments on exactly how it should work? I find the Juniper documentation to be totally useless. Multiple errors in it. Really no good explaiination of how to use it, etc.
Sounds like an interesting concept. If only I could figure it out.
Solved! Go to Solution.
I have tested SPNEGO solution with UAC with SRX as enforcer. It work as expected.
You should have SRX as enforcer connected to IC, you should have windows AD Domain authentication server enabled in IC with Kerbroes.
This is mainly used for agentless access and captive portal redirection, you need have Inetgrated Authentication for windows enabled in your Browser.
The below Juniper KB's will give you more information with respect to troubleshooting.
KB24183-Troubleshooting SPNEGO SSO issues in IC 4.2Rx or later
KB25351-Can we add IC's machine account in back end AD for SPNEGO SSO
KB24435-Enforcer (SRX) integration with Source-Identity
Kannan - thanks for the reply. Appreciate the KB's and will check them out. A couple of comments
1. My statement about the documentation stands - it has errrors in it. I mentioned this to JTAC and they had no comment.
2. One question for you - from what I can tell Spengo authorization is only initiated / functions under the following conditions: A - user is already logged into an AD Domain. B - user attempts to access a resource through a browser (80 / 443.)
So if the user attempted to access a a resource via another protocol (say ftp) Spengo would not trigger an authorization attempt through the UAC box. Am I correct in that assumption? - IE - is is like a "hidden" captive portal from a functionality perspective.
If I am right then a follow up question. User attempts to access a resource through the browser. Authorization occurs, access is granted. They then attempt an ftp - will that ftp be successful? Assumptions are that in the UAC the resource policy is defined to allow access to both the http and the ftp traffic.
Just trying to gain an understanding of how this works and when to use it. Again, I am coming to think of it as a captive portal solution with no credential entry.