Configuring SPNEGO

A logical link needs to be created between Active Directory and the firewall in order for SSO (SPNEGO) to be used. This link is created in three steps:

  1. Creation of a specific user account in Active Directory.
  2. Creation of a logical link between this user account and the SSO service in Active Directory using a script (spnego.bat: available in the Mystormshield client area).
  3. Transferring a file produced from this association to the firewall via the administration interface in order to enable SPNEGO. Handle this file with care, as it contains a password (also called a “key”). Even though it is encrypted, it is still considered sensitive.
 

The configuration parameters of each component of the architecture need to be modified in order to set up SPNEGO features:

  • The domain controller,
  • The firewall,
  • Client workstations (especially the web browser).

An appliance that does not appear in the diagrams also plays an important role – the DNS server.