Configuring the Active Directory domain controller

  1. On the server, check whether the binary files needed in the configuration of the domain controller are available:
    • reg.exe to handle the server's registry base,
    • setspn.exe to define the name of the service in the Active Directory,
    • ktpass.exe to retrieve the encryption key (keytab),
    • ldifde.exe to query the LDAP.

    Otherwise, retrieve them and save them in a shared folder which, if necessary, must be added to the PATH environment variable (e.g., C:\SPNEGO\).

  2. Retrieve the spnego.bat v1.7 script by logging in to your MyStormshield personal area (authentication required), under Downloads >  Downloads > Stormshield Network Security > TOOLS. Save the script in the same folder as the one that contains the binary files in step 1.
  3. In the command prompt, go to the directory containing the spnego.bat script (the files generated by the script will be added to the current directory).

  4. Run the spnego.bat script using the command:

    Spnego.bat <FW> <dns> <AD_Domain> <password> <file>

<FW> Represents the name of the firewall on which you are configuring SPNEGO. This name is identical to the entry made in the DNS server. We recommend that you enter this parameter in UPPERCASE.
< dns> Represents the DNS domain name (in the configuration of the DNS server, the DNS domain name will be stormshield.com). This parameter MUST be entered in LOWERCASE.
<AD_Domain> Represents the Active Directory domain name handled by the domain controller. In most cases, this Active Directory domain name is the same as the DNS domain name. This parameter MUST be entered in UPPERCASE.
<password> Represents the password that you have chosen and which will be used for the <FW> user created and the SPNEGO service. This password MUST NOT exceed 14 characters.
<file> Represents the name of a file that you have chosen. This file contains an encryption key that needs to be installed during the configuration of the firewall.
  1. Save the information indicated once the spnego.bat script has finished running. This information can also be found in the log file stored in the same folder as the script.

    values to insert in the manager
    SPN=HTTP/<FW>.<dns>
    DOMAIN=<AD_Domain>
    FILE=<file>

    • SPN is the name of the main service in the SPNEGO configuration (e.g., HTTP/SN710A000099999999.stormshield.com).
    • DOMAIN represents the Microsoft Active Directory domain name in the SPNEGO configuration (e.g., STORMSHIELD.COM).
  2. Enable support for AES 256-bit encryption via Kerberos in the properties of the firewall account that was just created in Active Directory, in the Account tab, under Account options.