Hi to all, Can I exclude the 4 hours authentications on my lan pc qith a F200 firewall? For my works, th FW, is also a proxy. I've tried to check the real ldap authentications, but is not a solutions. My users to pass through an Active Directory authentications, and so I'd like to use thi s unique authentications also for navigation.
It's possible?
Hello,
You can transparently authenticate users with Active Directory. For this, you must configure SPNEGO authentication on the Netasq Firewall.
You can also use SSL to transparently authenticate users but it's not (i think) compatible with Active Directory.
Julien
gamzatti a =E9crit :
I authenticate just the users with Active Directory, but every 4 hours the authentications must be repeat.
OK, but SPNEGO is transparent for the users, the authentification is realized all the same, but the users does not realize it.
Also, if you want increase the delay of authentication, you can do it in the authentication tab, and indicate 8 hours, for example.
gamzatti a =E9crit :
Thanks. I understand. In documentation I've found this:
"Install a "Service Principal Name (SPN)" on the Kerberos server to enable encrypting the exchanges between the kerberos server, the user and the firewall"
I ask you where I can find th SPN for install it on my PDC.
thanks.
You can find it into the Microsoft support tools package. (available in the Windows 2000/2003 CD-ROM)
gamzatti a =E9crit :
Hi, we have configured SPN on my PDC but the client not authenticate correctly. In manual I've found that the web authentication is only activated if an authentication rule has been defined in the filter policy. Filter policy in the POLICY Section or Filter Policy in the Proxy Section? However in the proxy policy rules it's just present the rule for authentication of a determinate users group forn allow navigation.
In authentication section, GENERAL subsection, in Internal Interfaces, do you have checked the SPNEGO ChechBox? I'll also tried with it but didn't work.
thanks :-( I fell frustated
I forgot to say that I have uncovered that the name of the computer was a strange name of type "NAF200". I have supplied to change replacing it with the complete name with serialcode. Ex: F200XBxxxxxxxxxxx. I think that its better therefore, true? In the several settings of the firewall I have abilitated DNS in "authentication"/"global"/"advanced" and in "Internal Interface"/"available methods" - I've checked "Kerberos" and "SPNEGO".
wath do you think about? thanks a lot!
gam
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.