How Active Directory SSO Works

This topic includes a detailed explanation of how the WatchGuard SSO solution works. For a quick summary of how to set up SSO for a single Active Directory domain, go to:

The WatchGuard SSO Solution

The WatchGuard SSO solution for Active Directory includes these components:

  • SSO Agent — Required
  • SSO Client — Optional
  • Event Log Monitor — Optional
  • Exchange Monitor — Optional

The SSO Agent collects user login information from the SSO Client, Event Log Monitor, or the Exchange Monitor.

You can configure more than one SSO method. For example, you can configure the SSO Client as your primary SSO method, and configure the Event Log Monitor or the Exchange Monitor as backup SSO methods.

A single sign-on option is also available for the Terminal Services Agent, but is not related to the WatchGuard SSO solution components, and is configured separately. For more information about the Terminal Services Agent, go to Install and Configure the Terminal Services Agent.

For more detailed information about the WatchGuard SSO solution, go to these sections:

How SSO Works

For SSO to work, you must install the SSO Agent software on a domain member server. We recommend that you also choose one or more SSO components that will communicate with the SSO Agent:

  • For the most reliable SSO deployment, we recommend that you also install the SSO Client on Windows and macOS clients on your network.
  • For Linux or mobile users, you can install the Exchange Monitor for SSO.
  • (Optional) You can install the Event Log Monitor as a backup SSO method for Windows users.
  • (Optional) You can install the Exchange Monitor as a backup SSO method for macOS users.

If the SSO Client, Event Log Monitor, or Exchange Monitor are installed, the SSO Agent contacts these components for user credentials. The components send the correct user credentials and security group membership information to the SSO Agent.

When you configure the SSO Agent settings, you specify which SSO component the SSO Agent queries first. For SSO to work correctly, you must either install the SSO Client on all your client computers, or use either the Event Log Monitor or Exchange Monitor to get correct user information.

If you install only the SSO Agent, the SSO Agent uses Active Directory (AD) Mode for SSO. We do not recommend AD Mode as a primary SSO method. AD Mode is disabled by default in v12.7.2 or higher of the SSO Agent. For information about AD Mode, go to the AD Mode section.

Network Topology

This diagram shows the methods you can use for Active Directory SSO. Your deployment might include one or more of these methods:

  • Method 1 — SSO Client and SSO Agent
  • Method 2 — Event Log Monitor (ELM) and SSO Agent
  • Method 3 — Exchange Monitor (EM) and SSO Agent

Method 4 shows Active Directory (AD) mode, which uses only the SSO Agent. AD Mode is not recommended as a primary SSO method.

Screen shot of a network topology diagram with SSO installed

About the SSO Agent

You must install the SSO Agent on a domain server in your network. This server can be the domain controller or another domain member server.

When you install the SSO Agent, make sure that it runs as a user account that is a member of the Domain Users security group. The Domain Users account you select must be able to run services on the Active Directory server, to search the directory, and to search all other user audit information. With these privileges, when users try to authenticate to your domain, the SSO Agent can query the SSO Client on the client computer, the Event Log Monitor, or the Exchange Monitor for the correct user credentials, and provide those user credentials to your Firebox.

To configure the correct permissions and settings, go to Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor.

For security reasons, we recommend that you do not select a user account that is a member of the Domain Admins security group.

For installation information, go to Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor.

For configuration information, go to Configure the SSO Agent.

For configuration examples, go to Example Network Configurations for Active Directory SSO.

SSO Agent Failover

In Fireware v12.2 or higher, you can configure up to four SSO Agents on your Firebox for redundancy. For example, you can install an SSO Agent on a primary domain controller, and another SSO Agent on a secondary domain controller. If you must reboot the primary domain controller, SSO fails over to the SSO Agent on the secondary domain controller.

Only one SSO Agent is active at a time. If the active SSO Agent becomes unavailable, the Firebox automatically fails over to the next SSO Agent in your configuration. Failover occurs sequentially. For example, if the first SSO Agent in the list becomes unavailable, failover occurs to the second SSO Agent in the list. If the last SSO Agent in the list is active and becomes unavailable, failover occurs to the first SSO Agent in the list.

You can also select to manually fail over to a different SSO Agent. For instructions, go to Enable Active Directory SSO on the Firebox.

Failback does not occur. For example, if the first SSO Agent in the list becomes unavailable, failover occurs to the second agent in the list. If the first SSO Agent becomes available again, the second SSO Agent remains the active agent. Failback does not occur to the first SSO Agent.

The SSO Agent must be v12.2 or higher to support failover.

About the SSO Client

When you install the SSO Client software on your Windows or macOS client computers, the SSO Client receives a call from the SSO Agent and returns the user name, security group membership information, and domain name for the user who is currently logged in to the computer.

The SSO Client runs as a local system service on each user computer. It requires no interaction from the user.

To enable RDP (remote desktop) users to authenticate with the SSO Client, your users must run the v11.9.3 or higher SSO Client.

For installation information, go to Install the WatchGuard Single Sign-On (SSO) Client.

About the Event Log Monitor

The Event Log Monitor is an optional SSO component that enables Windows users to authenticate with SSO without the WatchGuard SSO Client. This is known as clientless SSO. We recommend that you use clientless SSO with Event Log Monitor only as a backup SSO method.

To enable RDP users to authenticate with Event Log Monitor, you must install Event Log Monitor v11.10 or higher.

Event Log Monitor Installation

With clientless SSO, you install the Event Log Monitor on a server in each domain in your network. This can be the domain controller or another domain member server. The Event Log Monitor must run as a user account that is a member the Domain Users security group.

For security reasons, we recommend that you do not select a user account that is a member of the Domain Admins security group.

One domain

If you have one domain that you use for SSO, you can install the Event Log Monitor on the same server or domain controller where you install the SSO Agent.

Multiple domains

If you have more than one domain, you must install one instance of the Event Log Monitor in each domain. In Fireware v12.1.1 or lower, you only install one instance of the SSO Agent for your entire network. In Fireware v12.2 or higher, you can install up to four instances of the SSO Agent for redundancy. Only one SSO Agent is active.

The Event Log Monitor does not have to be installed on the domain controller computer; it can be installed on any domain member server in that domain.

For installation information, go to Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor.

Event Log Monitor Configuration

After you install the Event Log Monitor, you configure the SSO Agent to get user login information from the Event Log Monitor. For more information about how to specify domains and Event Log Monitors for the SSO Agent, go to Configure the SSO Event Log Monitor.

How Event Log Monitor Works

After the Event Log Monitor successfully gets the user credentials and the user is authenticated, the Event Log Monitor continues to poll the client computer every five seconds to monitor logon and logoff events, and connection abort issues. Any connection errors are recorded in the eventlogmonitor.log file in the WatchGuard > Authentication Gateway directory on the server where the Event Log Monitor is installed. If the Event Log Monitor cannot get the logon credentials for a user, it notifies the SSO Agent, and the user is not authenticated.

When a user logs in to a Windows computer:

  1. A logon event is written to the Windows Event Log on the computer.
  2. The Firebox receives traffic from the user, but does not find a session for the IP address of the computer.
  3. The Firebox contacts the SSO Agent to request the user name, domain, and group information.
  4. The SSO Agent redirects this request to the Event Log Monitor.
  5. The Event Log Monitor contacts the computer over TCP port 445.
  6. The Event Log Monitor gets the user name and domain from the Windows Event Log on the computer.
  7. The Event Log Monitor contacts the Active Directory domain controller to get group information for the user.
  8. The Event Log Monitor adds the computer to the list of monitored computers.
  9. The Event Log Monitor sends the user name, domain, and group information to the SSO Agent.
  10. The SSO Agent sends the user name, domain, and group information to the Firebox.
  11. The Firebox creates a session for the IP address of the computer.
  12. To find new logoff events, Event Log Monitor polls every computer in the monitor list every five seconds over TCP 445.

When a user logs off of a Windows computer:

  1. A logoff event is written to the Windows Event Log on the computer.
  2. The Event Log Monitor contacts the computer over TCP port 445 and discovers the logoff event.
  3. The Event Log Monitor sends a notification to the SSO Agent about the logoff event.
  4. The SSO Agent sends a notification to the Firebox to delete the session.
  5. The Event Log Monitor keeps the computer on the monitor list and continues to poll the computer.
  6. If the computer is shut down, or not connected to the network:
    1. The Event Log Monitor deletes the computer from the monitor list.
    2. The Event Log Monitor sends a notification to the SSO Agent that the user logged off.
    3. The SSO Agent sends a notification to the Firebox to delete the session.

If the Event Log Monitor is shut down, the monitor list is cleared.

To get the user credentials, the SSO Agent sends a reverse DNS lookup to the DNS server to find the host name associated with the IP address for the user. When the host name is confirmed, the SSO Agent gets the domain information from the host name (the fully-qualified domain name, or FQDN) to contact an Event Log Monitor configured for that domain, and get the user credentials to use for authentication. For the SSO Agent to successfully get the domain information, you must make sure that the DNS server includes PTR records, which are the DNS records for an IP address to a FQDN for all domain client computers.

This diagram shows how the Event Log Monitor works.

Diagram of the Event Log Monitor clientless SSO process

Load Balancing and Failover for Event Log Monitor

Whether you have only one domain, or many domains in your network, you can install more than one instance of the Event Log Monitor in each domain to use for load balancing and failover. This can help you to provide faster and more reliable SSO to your users.

One Domain

When you install more than one Event Log Monitor in a domain, all of the instances of the Event Log Monitor work in parallel to collect user login information for the users in that domain. This enables faster authentication. Many Event Log Monitors also enable successful failover. If one of the Event Log Monitors cannot complete the authentication request, another Event Log Monitor can instead send the user credentials to the SSO Agent.

If you have more than one Event Log Monitor in a single domain, and you add each Event Log Monitor to the SSO Agent configuration, the SSO Agent randomly chooses an Event Log Monitor in the list and contacts it for the user credentials and login information. If the selected Event Log Monitor cannot authenticate the user, the SSO Agent contacts the next Event Log Monitor in the list. The SSO Agent continues to contact the next Event Log Monitors in the list until it either gets the user credentials, or authentication has failed for all Event Log Monitors. The SSO Agent then contacts the next configured SSO Agent contact (SSO Client or Exchange Monitor) to try to authenticate the user.

Multiple Domains

If you have many domains in your network, and more than one Event Log Monitor installed in each domain, the SSO Agent can also use the Event Log Monitors from other domains in your network for load balancing and failover. With this SSO configuration, the SSO Agent chooses an Event Log Monitor from the local domain of the SSO Agent and contacts that Event Log Monitor for the user credentials. If that Event Log Monitor cannot authenticate the user, the SSO Agent randomly chooses an Event Log Monitor included in the SSO Agent configuration from another domain and contacts it for the user credentials. If that Event Log Monitor also cannot authenticate the user, the SSO Agent then contacts the next configured SSO Agent contact (SSO Client or Exchange Monitor) to try to authenticate the user.

About the Exchange Monitor

The WatchGuard SSO Exchange Monitor is an optional component that you can install on your Microsoft Exchange Server to enable clientless SSO for any computer or device that can authenticate to your Microsoft Exchange Server. You can use the Exchange Monitor as the primary SSO method for Linux computers and mobile devices with iOS, Android, or Windows. You can also use the Exchange Monitor as a backup SSO method for Windows and macOS computers that are not shared by many users.

Exchange Monitor Installation

You must install the Exchange Monitor on the same server where your Microsoft Exchange Server is installed. Your Exchange Server must generate IIS logs in the W3C Extended log file format, and RPC client access log messages.

For installation information, see Install the WatchGuard Single Sign-On (SSO) Exchange Monitor.

How Exchange Monitor Works

The Exchange Monitor gets user login information from the IIS logs on your Microsoft Exchange Server. Because Microsoft Exchange Server is integrated with your Active Directory server, Exchange Server can easily get the user credentials from the IIS and RPC client access log messages in your user store.

When a user successfully connects to the Exchange Server to download email:

  1. The IIS service on the Exchange Server generates a log message of the user logon event.
  2. The Exchange Monitor verifies the logon events with the IIS service and keeps a list of all currently active users.
  3. The Exchange Monitor sends a query to the IIS log file every three seconds to make sure user information is current.
  4. When the SSO Agent contacts the Exchange Monitor, Exchange Monitor sends the user information to the SSO Agent.
    • If the user is included in the list of users that are logged in to the Exchange Server, the SSO Agent notifies the Firebox that the user is currently logged in, and the user is authenticated.
    • If the user is not included in the list of users that are logged in, the SSO Agent notifies the Firebox that the user is not found in the list of active users, and the user is not authenticated.

For more information about how to configure the SSO Agent to use the Event Log Monitor and the Exchange Monitor, go to Configure the Active Directory SSO Agent.

This diagram shows how the Exchange Monitor works.

Diagram of the Exchange Monitor clientless SSO process

Active Directory (AD) Mode

For the most reliable SSO deployment, you must install the SSO Client, Event Log Monitor, or Exchange Monitor. If at least one of these components is not installed, or not configured correctly, the SSO Agent must use Active Directory (AD) Mode for SSO. AD Mode is disabled by default in v12.7.2 or higher of the SSO Agent.

In AD Mode, to get the user credentials, the SSO Agent makes a NetWkstaUserEnum call to the client computer over TCP port 445. The SSO Agent then uses the information it gets to authenticate the user for SSO. The SSO Agent uses only the first answer it gets from the computer. It sends a notification about that user to the Firebox as the user that is logged on. The Firebox verifies the user information against all the defined policies for that user and user group at one time. The SSO Agent caches this data for 10 minutes by default so that a query does not have to be generated for every connection. You can configure the cache value on the Firebox.

AD mode is not intended as the primary SSO method. It has access control limitations that can result in failed SSO attempts and security risks. For example, if you configure SSO without the SSO Client, Event Log Monitor, or Exchange Monitor, for services installed on a client computer (such as a centrally administered antivirus client) that have been deployed so that users can log on with domain account credentials, the Firebox gives all users the same access rights as the first user that is logged on (and the groups of which that user is a member), and not the correct credentials of each individual user that logs on. Also, all log messages generated from user activity show the user name of the service account, and not the individual user.

To learn how to enable AD Mode for SSO, go to Enable Active Directory Mode.

If you do not install the SSO Client, the Event Log Monitor, or the Exchange Monitor, we recommend you do not use SSO for environments where users log on to computers with service or batch logons. When more than one user is associated with an IP address, network permissions might not operate correctly. This can be a security risk.

Before You Begin

To plan a successful SSO deployment, consider the benefits and limitations of each SSO component, operating system compatibility, and your network architecture.

For information about operating system compatibility, and to compare SSO components, go to Choose Your SSO Components.

For example network configurations, go to Example Network Configurations for SSO.

Verify Network Requirements

Before you configure SSO for your network, verify that your network configuration supports all the necessary requirements.

Active Directory

  • You must have an Active Directory server configured on your local network.
  • Your Firebox must be configured to use Active Directory authentication.
  • Each user must have a user account on the Active Directory server.
  • Each user must log in with a domain user account for SSO to operate correctly. If users log in with an account that exists only on their local computers, their credentials are not verified and the Firebox does not recognize that they are logged in.
  • The SSO Agent and the Event Log Monitor must run as a user account in the Domain Users security group. Tip!
    The Domain Users account you select must have privileges to run services on the Active Directory server, to search the directory, and to search all other user audit information. To configure the correct permissions and settings, see Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor. We recommend that you do not select an account in the Domain Admins security group.
  • All computers from which users authenticate with SSO must be members of the Active Directory domain with unbroken trust relationships.

    To use Active Directory SSO with computers joined to your domain with Azure Active Directory, you must install v12.10.1 or higher of the WatchGuard Single Sign-On (SSO) Agent. This version of the agent supports hybrid environments, here a local Active Directory domain controller is used for authentication by the Firebox, and the computers are added to this domain with Azure AD.

  • macOS computers must join the Active Directory domain before the SSO Client can be installed.
  • The Exchange Monitor must run as a user account in the Domain Admins security group.

Ports

  • TCP port 445 (port for SMB) must be open on the client computers.
  • TCP port 4116 must be open on the client computers where you install the SSO Client.
  • TCP port 4114 must be open on the server where you install the SSO Agent.
  • TCP port 4135 must be open on the server where you install the Event Log Monitor.
  • TCP port 4136 must be open on the server where you install the Exchange Monitor.

To test whether these ports are open, you can use the SSO Port Tester tool. For more information, see Troubleshoot SSO.

Event Logs

  • For the Event Log Monitor to operate correctly, you must enable audit logging on all Windows domain computers for the 4624 and 4634 logon and account logon events.
  • If your Windows network is configured for Fast User Switching, you must:
    • Enable audit logging on all Windows domain computers for events 4647, 4778, and 4779.
      This enables Event Log Monitor to operate correctly.
    • Install Event Log Monitor v11.10 or higher.
      The WatchGuard Authentication Gateway installer includes the option to install Event Log Monitor.
  • For Remote Desktop Protocol (RDP) users to use clientless SSO:
    • Event Log Monitor v11.10 or higher must be installed.
    • Microsoft events 4624 and 4634 must be generated on the client computers and contain Logon Type attributes. These attributes specify whether a logon or logoff event occurred on the local network or through RDP. Attributes 2 and 11 specify local logon and logoff events, and attribute 10 specifies an RDP logon or logoff event.

Microsoft .NET Requirements

  • For v12.3 or higher of the SSO Agent, Microsoft .NET Framework v4.0 or higher must be installed on the server where you install the SSO Agent.
  • For SSO Agent versions lower than v12.3, Microsoft .NET Framework v2.0–4.5 must be installed on the server where you install the SSO Agent.
  • For Microsoft Exchange Server 2010 and earlier, Microsoft .NET Framework v2.0 or higher must be installed on the server where you install the Exchange Monitor.
  • For Windows Server 2012 and higher, and Microsoft Exchange Server 2013 and higher, Microsoft .NET Framework 3.5 or higher must be installed on the server where you install the Exchange Monitor.

Set Up SSO

To set up SSO:

  1. Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor (Event Log Monitor is optional)
  2. Install the WatchGuard Active Directory SSO Client (Optional, but recommended)
  3. Install the WatchGuard Active Directory SSO Exchange Monitor (Optional)
  4. Enable Active Directory SSO on the Firebox

The versions of the SSO components in your SSO solution do not have to be the same, and they do not have to be the same as the version of Fireware on your Firebox. We recommend that you install the highest available version of the SSO Agent, even if your Firebox runs a lower version of Fireware.

Related Topics

About Active Directory Single Sign-On (SSO)

Choose Your Active Directory SSO Components

Example Network Configurations for Active Directory SSO

Quick Start — Set Up Active Directory Single Sign-On (SSO)

Install the WatchGuard Single Sign-On (SSO) Agent and Event Log Monitor

Install the WatchGuard Active Directory SSO Client

Install the WatchGuard Active Directory SSO Exchange Monitor

Enable Active Directory SSO on the Firebox

Set Global Firewall Authentication Values

Configure Active Directory Authentication

Troubleshoot Active Directory SSO