Configure Active Directory Authentication

Active Directory is the Microsoft® Windows-based application of an LDAP directory structure. Active Directory lets you expand the concept of domain hierarchy used in DNS to an organizational level. It keeps information and settings for an organization in a central, easy-to-access database. You can use an Active Directory authentication server to enable your users to authenticate to your Firebox with their current network credentials. For Active Directory authentication to work correctly, you must configure both your Firebox and the Active Directory server.

When you configure Active Directory authentication, you can specify one or more Active Directory domains that your users can select when they authenticate. You can add an unlimited number of domains.

For each domain, you can add up to two Active Directory servers: one primary server and one backup server. If the Firebox cannot connect to the primary authentication server after three separate authentication attempts, the primary server is marked as inactive and the second server is used to complete authentication requests until the dead timer expires and the primary server is active again. When you add an Active Directory server, you can select whether to specify the IP address or the DNS name of each server.

If you configure more than one Active Directory domain and you use Single Sign-On (SSO) to enable your users to select from the available Active Directory domains and authenticate, your users must install the SSO Client, or you must use the Event Log Monitor or Exchange Monitor. For more information, go to How Active Directory SSO Works and Install the WatchGuard Active Directory SSO Client.

If your users authenticate with the Active Directory authentication method, their distinguished names (DN) and passwords are hashed but not encrypted. To use Active Directory authentication and encrypt user credentials, you can select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic between the LDAPS client on your Firebox and your Active Directory server is secured by an SSL tunnel. When you enable this option, you can also choose whether to enable the LDAPS client to validate the Active Directory server certificate. If you choose to use LDAPS and you specify the DNS name of your server, make sure the search base you specify includes the DNS name of your server.

The Active Directory server can be located on any Firebox interface. You can also configure your device to use an Active Directory server available through a VPN tunnel. For more information, go to Active Directory Authentication Through a BOVPN Tunnel.

PhoneFactor authentication is a multi-factor authentication system that uses phone calls to determine the identity of users. Because it uses more than one out-of-band method (phone calls, text messages, and push notifications) and an OATH passcode, PhoneFactor provides flexible options for users and a single multi-factor platform to manage.

If you use PhoneFactor authentication with your Active Directory server, you can configure the timeout value in the Active Directory authentication server settings to specify when out-of-bound PhoneFactor authentication occurs. For PhoneFactor authentication, you must set the timeout value to more than 10 seconds.

Before you begin, make sure your users can successfully authenticate to your Active Directory server. You can add, edit, or delete the Active Directory domains and servers defined in your Firebox configuration.

Add an Active Directory Authentication Domain and Server

In Fireware v12.3 or higher, you can use a wizard to configure a new Active Directory server. The wizard automatically configures the primary server and search base settings based on the domain name you specify.

You can also skip the wizard and configure the server manually.

In Fireware v12.2.1 or lower, you must manually configure the Active Directory server settings. For configuration instructions for Fireware v12.2.1 or lower, go to Configure Active Directory Authentication in Fireware v12.2.1 or lower in the WatchGuard Knowledge Base.

  1. Select Authentication > Servers > Active Directory.
  2. Click Add.
    The Active Directory wizard appears.
  3. Click Next.
    The Domain Name page appears.
  4. In the Domain Name text box, specify the name of the Active Directory domain.
    The domain name must include a domain suffix. For example, type example.com, not example.

Screen shot of the Domain Name dialog box

  1. Click Next.
    The Active Directory Server page appears.
  2. In the Server Address text box, type the domain name or IP address of the Active Directory server.
  3. (Optional) To enable secure SSL connections to your Active Directory server, select Enable secure SSL connections to your Active Directory server (LDAPS).

Screen shot of the Server page in the wizard

  1. Click Next.
    The final wizard page appears.
  2. (Optional) To edit the Active Directory configuration, select the Edit the Active Directory domain settings after you click Finish check box.

Screen shot of the last Active Directory wizard page

  1. Click Finish.
    If you selected to edit the Active Directory domain settings, the Active Director configuration page appears. Otherwise, a list of Active Directory servers appears.
  1. Select Authentication > Servers > Active Directory.

    The Active Directory server list appears.
  2. To add a new server, click Add.

    The Active Directory Wizard appears.

Screen shot of the Authentication Servers page, with the Active Directory tab selected

  1. To manually configure the server, click Skip.

    The Active Directory configuration appears.

Screen shot of the Add page for an Active Directory domain

  1. In the Domain Name or IP Address text box, type the domain name or IP address to use for this Active Directory server.

    The domain name must include a domain suffix. For example, type example.com, not example.
  2. In the Port text box, type a port.
    If your Active Directory server is a global catalog server, it can be useful to change the default port. For more information, go to Change the Default Port for the Active Directory Server.
  3. (Optional) In the Backup Server section, type the domain name or IP address of a backup server, and then type the port.
  4. (Optional) To enable secure SSL connections to your Active Directory server, select the Enable LDAPS check box.

    If you selected Enable LDAPS, a dialog box appears that asks whether to use the default port 636. Select Yes or No.
  5. (Optional) To verify that the certificate of the Active Directory server is valid, select the Validate Server certificate check box.
  6. In the Timeout text box, type or select the number of seconds the device waits for a response from the Active Directory server before it closes the connection and tries to connect again.
  7. In the Dead Time text box, type a time after which an inactive server is marked as active again.

    The default value is 3 minutes. In Fireware v12.1.1 or lower, the default value is 10 minutes.
  8. From the Dead Time drop-down list, select Minutes or Hours to set the duration.
    After an authentication server has not responded for three separate authentication attempts, it is marked as inactive. Additional authentication attempts do not try this server until it is marked as active again after the dead time has elapsed and the server is marked as active again.
  9. In the Search Base text box, type the location in the directory to begin the search. Tip!
    For more information about how to use a search base to limit the directories on the authentication server where the device can search for an authentication match, go to Find Your Active Directory Search Base.
  10. If you have not changed your Active Directory schema, the read-only security Group String is always tokenGroups. If you have changed your schema, type the attribute string that is used to hold user security group information on the Active Directory server.
  11. From the Login Attribute drop-down list, select an Active Directory login attribute to use for authentication. The login attribute is the name used for the bind to the Active Directory database. The default login attribute is sAMAccountName. If you use sAMAccountName, you do not need to specify a value for the DN of Searching User and Password of Searching User settings.
    1.  In the DN of Searching User text box, type the distinguished name (DN) for a search operation.

      If you keep the login attribute of sAMAccountName, you do not need to type anything in this text box.

      If you change the login attribute, you must add a value in the DN of Searching User text box. You can use any user DN with the privilege to search LDAP/Active Directory, such as an administrator. However, a weaker user DN with only the privilege to search is usually sufficient.

      For example: cn=Administrator,cn=Users,dc=example,dc=com
    2. In the Password of Searching User text box, type the password associated with the distinguished name for a search operation.
  12. To specify optional attributes for the primary LDAP server, select the Optional Settings tab.

    For more information about how to configure optional settings, go to About Active Directory Optional Settings.

  13. Click Save.
  1. Click the Authentication Servers icon.
    Or, select Setup > Authentication > Authentication Servers.
    The Authentication Servers dialog box appears.
  2. Select the Active Directory tab.
    The Active Directory settings appear.

screenshot of Authentication Servers Active Directory tab

  1. Click Add.
    The Active Directory Domain Wizard appears.

Screen shot of the Active Directory Domain Wizard

  1. Click Next.
    The Domain Name dialog box appears.

Screen shot of the Domain Name box in the wizard

  1. In the Domain Name text box, specify the name of the Active Directory domain.
  2. Click Next.
    The Active Directory Server page appears.
  3. In the Server Address text box, type the domain name or IP address of the Active Directory server.
  4. (Optional) To enable secure SSL connections to your Active Directory server, select Enable secure SSL connections to your Active Directory server (LDAPS).

Screen shot of the Active Directory Server page of the wizard

  1. Click Next.
    The final page of the wizard appears.

Screen shot of the last wizard page

  1. (Optional) To edit the Active Directory configuration, select the Edit the Active Directory domain settings check box.
  2. Click Finish.
    If you selected to edit the Active Directory domain settings, the Active Directory configuration appears. Otherwise, a list of Active Directory servers appears.

Screen shot of the Active Directory Domain configuration

  1. Select Setup > Authentication > Authentication Servers > Active Directory.
    The Active Directory server list appears.
  2. Click Add.

Screen shot of an empty server list

  1. In the wizard that appears, click Skip to manually configure the server.
    The Active Directory Domain dialog box appears.
  2. In the Domain Name text box, type the domain name to use for this Active Directory server.
    The domain name must include a domain suffix. For example, type example.com, not example.
  3. Click Add.
    The Add IP/DNS Name dialog box appears.

Screenshot of the Add IP/DNS Name dialog box.

  1. From the Choose Type drop-down list, select IP Address or DNS Name.
  2. In the Value text box, type the IP address or DNS name of this Active Directory server.
  3. In the Port text box, type or select the TCP port number for the device to use to connect to the Active Directory server.
    The default port number is 389. If you enable LDAPS, you must select port 636.

    If your Active Directory server is a global catalog server, it can be useful to change the default port. For more information, go to Change the Default Port for the Active Directory Server.

  4. Click OK.
    The IP address or DNS name you added appears in the Add Active Directory Domain dialog box.

Screenshot of the Add Active Directory Domain dialog box, with Active Directory server IP addresses.

  1. To add another Active Directory server to this domain, repeat Steps 5–9. You can add up to two servers.

    Make sure the shared secret is the same on all the Active Directory servers you specify.

  2. In the Timeout text box, type or select the number of seconds the device waits for a response from the Active Directory server before it closes the connection and tries to connect again.
  3. In the Dead Time text box, type or select a time after which an inactive server is marked as active again.
    The default value is 3 minutes. In Fireware v12.1.1 or lower, the default value is 10 minutes.
  4. From the Dead Time drop-down list, select minutes or hours to set the duration. After an authentication server has not responded for three separate authentication attempts, it is marked as inactive. Additional authentication attempts do not try this server until it is marked as active again after the dead time has elapsed and the server is marked as active again.
  5. In the Search Base text box, type the location in the directory to begin the search.

    The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first part of the distinguished server name>,dc=<any part of the distinguished server name that appears after the dot>

    To limit the directories on the authentication server where the device can search for an authentication match, you can set a search base. We recommend that you set the search base to the root of the domain. This enables you to find all users and all security groups to which those users belong.

    For more information, go to Find Your Active Directory Search Base.

  6. In the Group String text box, type the attribute string that is used to hold user security group information on the Active Directory server. If you have not changed your Active Directory schema, the security group string is always tokenGroups.
  7. In the Login Attribute text box, type or select an Active Directory login attribute to use for authentication.

    The login attribute is the name used for the bind to the Active Directory database. The default login attribute is sAMAccountName. If you use sAMAccountName, you do not have to specify a value for the DN of Searching User and Password of Searching User settings.

  8. In the DN of Searching User text box, type the distinguished name (DN) for a search operation.

    If you keep the login attribute of sAMAccountName, you do not have to type anything in this text box.

    If you change the login attribute, you must add a value in the DN of Searching User text box. You can use any user DN with the privilege to search LDAP/Active Directory, such as an administrator. However, a weaker user DN with only the privilege to search is usually sufficient.
    For example: cn=Administrator,cn=Users,dc=example,dc=com

  9. In the Password of Searching User text box, type the password associated with the distinguished name for a search operation.
  10. To enable secure SSL connections to your Active Directory server, select the Enable LDAPS check box.
  11. If you enabled LDAPS but did not set the Port value to the default port for LDAPS, a port message dialog box appears. To use the default port, click Yes. To use the port you specified, click No.
  12. To verify the certificate of the Active Directory server is valid, select the Validate server certificate check box.
  13. To specify optional attributes for the primary LDAP server, click Optional Settings.

    For more information about how to configure optional settings, see the next section in this topic.

  14. To add another Active Directory domain, repeat Steps 2–22. Make sure the shared secret is the same on all the Active Directory domains you specify.
  15. Click OK.
  16. Save the Configuration File.

About Active Directory Optional Settings

Fireware can get additional information from the directory server (LDAP or Active Directory) when it reads the list of attributes in the server’s search response. This lets you use the directory server to assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with IPSec address assignments. Because the data comes from LDAP attributes associated with individual user objects, you are not limited to the global settings specified in the device configuration file. You can set these parameters for each individual user.

For more information, go to Use Active Directory or LDAP Optional Settings.

Test the Connection to the Server

To make sure that your Firebox can connect to your Active Directory server and successfully authenticate your users, from Fireware Web UI, you can test the connection to your authentication server. You can also use this feature to determine whether a specific user is authenticated and to get authentication group information for that user.

You can test the connection to your authentication server with one of these methods:

  • Go to the Authentication Servers page for your server
  • Navigate directly to the Server Connection page in Fireware Web UI
  • Connect to the Authentication Portal on port 4100

To navigate to the Server Connection page from the Authentication Servers page:

  1. Click Test Connection for LDAP and Active Directory.
    The Server Connection page appears.
  2. Follow the instructions in the Server Connection topic to test the connection to your server.

For instructions to navigate directly to the Server Connection page in Fireware Web UI, go to Server Connection.

To connect to the Authentication Portal to verify that authentication is working, go to https://[Firebox IP address]:4100.

Edit an Existing Active Directory Domain

When you edit the settings for an Active Directory domain, you can change all details for the domain except for the domain names of the Active Directory servers configured in the domain. To change the name of a domain, you must remove the server with the incorrect name and add a new server.

  1. In the Active Directory domains list, select the server to change.

Screen shot of the Authentication Servers, Active Directory page with a domain selected

  1. Click Edit.
    The Active Directory / Edit page appears.

Screen shot of the Edit page for an Active Directory server

  1. To add an IP address or DNS name to the server for this domain, follow the instructions in the previous section.
  2. Update the settings for your Active Directory server.
  1. In the Active Directory domains list, select the server to change.

Screenshot of the Authentication Servers dialog box, Active Directory tab

  1. Click Edit.
    The Edit Active Directory Domain dialog box appears.

Screenshot of the Edit Active Directory Domain dialog box.

  1. To add an IP address or DNS name to the server for this domain, click Add and follow the instructions in the previous section.
  2. To remove an IP address or DNS name from the server for this domain, select the entry in the IP Address / DNS Name list and click Remove.
  3. Update the settings for your Active Directory server.

Delete an Active Directory Domain

To delete an Active Directory domain from the Fireware Web UI Authentication Servers page:

  1. From the Server list, select Active Directory.
    The Active Directory page appears.
  2. In the Active Directory domains list, select the domain to delete.
  3. Click Remove.
    A confirmation message appears.
  4. Click Yes.
    The server is removed from the list.

To delete an Active Directory domain from the Policy Manager Authentication Servers dialog box:

  1. In the Active Directory domains list, select the domain to delete.
  2. Click Remove.
    A confirmation message appears.
  3. Click Yes.
    The server is removed from the list.

Related Topics

About Third-Party Authentication Servers

Change the Default Port for the Active Directory Server