Active Directory is the Microsoft® Windows-based application of an LDAP directory structure. Active Directory lets you expand the concept of domain hierarchy used in DNS to an organizational level. It keeps information and settings for an organization in a central, easy-to-access database. You can use an Active Directory authentication server to enable your users to authenticate to your Firebox or XTM device with their current network credentials. For Active Directory authentication to work correctly, you must configure both your Firebox or XTM device and the Active Directory server.
When you configure Active Directory authentication, you can specify one or more Active Directory domains that your users can select when they authenticate. For each domain, you can add up to two Active Directory servers: one primary server and one backup server. If the first server you add fails, the second server is used to complete authentication requests. When you add an Active Directory server, you can select whether to specify the IP address or the DNS name of each server.
If you configure more than one Active Directory domain and you use Single Sign-On (SSO) to enable your users to select from the available Active Directory domains and authenticate, your users must install the SSO Client, or you must use the Event Log Monitor or Exchange Monitor. For more information, see About Single Sign-On (SSO) and Install the WatchGuard Single Sign-On (SSO) Client.
If your users authenticate with the Active Directory authentication method, their distinguished names (DN) and passwords are not encrypted. To use Active Directory authentication and encrypt user credentials, you can select the LDAPS (LDAP over SSL) option. When you use LDAPS, the traffic between the LDAPS client on your Firebox or XTM device and your Active Directory server is secured by an SSL tunnel. When you enable this option, you can also choose whether to enable the LDAPS client to validate the Active Directory server certificate. If you choose to use LDAPS and you specify the DNS name of your server, make sure the search base you specify includes the DNS name of your server.
The Active Directory server can be located on any Firebox or XTM device interface. You can also configure your device to use an Active Directory server available through a VPN tunnel.
PhoneFactor authentication is a multiple-factor authentication system that uses phone calls to determine the identity of users. Because it uses more than one out-of-band method (phone calls, text messages, and push notifications) and an OATH passcode, PhoneFactor provides flexible options for users and a single multiple-factor platform to manage.
If you use PhoneFactor authentication with your Active Directory server, you can configure the timeout value in the Active Directory authentication server settings to specify when out-of-bound PhoneFactor authentication occurs. For PhoneFactor authentication, you must set the timeout value to more than 10 seconds.
Before you begin, make sure your users can successfully authenticate to your Active Directory server. You can add, edit, or delete the Active Directory domains and servers defined in your Firebox or XTM device configuration.
If your Active Directory server is a global catalog server, it can be useful to change the default port. For more information, see Change the Default Port for the Active Directory Server.
For more information, see Use a Backup Authentication Server.
The standard format for the search base setting is: ou=<name of organizational unit>,dc=<first part of the distinguished server name>,dc=<any part of the distinguished server name that appears after the dot>.
To limit the directories on the authentication server where the device can search for an authentication match, you can set a search base. We recommend that you set the search base to the root of the domain. This enables you to find all users and all security groups to which those users belong.
For more information, see Find Your Active Directory Search Base.
If you keep the login attribute of sAMAccountName, you do not have to type anything in this text box.
If you change the login attribute, you must add a value in the DN of Searching User text box. You can use any user DN with the privilege to search LDAP/Active Directory, such as an administrator. However, a weaker user DN with only the privilege to search is usually sufficient.
For example, cn=Administrator,cn=Users,dc=example,dc=com.
The login attribute is the name used for the bind to the Active Directory database. The default login attribute is sAMAccountName. If you use sAMAccountName, you do not have to specify a value for the DN of Searching User and Password of Searching User settings.
After an authentication server has not responded for a period of time, it is marked as inactive. Subsequent authentication attempts do not try this server until it is marked as active again.
For more information about how to configure optional settings, see the subsequent section.
Fireware XTM can get additional information from the directory server (LDAP or Active Directory) when it reads the list of attributes in the server’s search response. This lets you use the directory server to assign extra parameters to the authenticated user sessions, such as timeouts and Mobile VPN with IPSec address assignments. Because the data comes from LDAP attributes associated with individual user objects, you are not limited to the global settings in
For more information, see Use Active Directory or LDAP Optional Settings.
To make sure that your Firebox or XTM device can connect to your Active Directory server and successfully authenticate your users, you can test the connection to your authentication server. You can also use this feature to determine if a specific user is authenticated and to get authentication group information for that user.
You can test the connection to your authentication server from the Authentication Servers page for your server, or you can navigate directly to the Server Connection page in Fireware XTM Web UI.
To navigate to the Server Connection page from the Authentication Servers page:
For instructions to navigate directly to the Server Connection page in Fireware XTM Web UI, see Server Connection.
When you edit an Active Directory domain, you cannot change the details of the Active Directory servers configured in the domain. Instead, you must add a new server. If there are two servers in the list, you must remove one of the servers before you can add a new one.
From the Authentication Servers
From the Authentication Servers
About Third-Party Authentication Servers
Change the Default Port for the Active Directory Server