Transparent authentication (SPNEGO)

The SPNEGO method enables Single Sign On to function in web authentication with an external Kerberos authentication server. This means that a user who connects to his domain via a Kerberos-based solution would be automatically authenticated on a Stormshield Network firewall when he accesses the internet (requiring authentication in the filter policy on the Firewall) with a web browser (Microsoft Edge, Firefox, Mozilla).

In order to implement this method, you must first execute the KEYTAB generation script spnego.bat on the domain controller. This script is available in the MyStormshield personal area (authentication required), under Downloads > Downloads > Stormshield Network Security > TOOLS.

The parameters requested when the script is executed are case-sensitive and must be strictly followed as they cannot be modified later. In the event of an error, a backup of the domain controller has to be restored in order to continue with the installation.

For firewalls that have not been configured in high availability, it is advisable to indicate the serial number of the firewall instead of its name to identify it (this name corresponds to the name indicated in the Stormshield Network script that comes with the installation hardware). The Service name will be the serial number preceded by “HTTP/”. Example: HTTP/U70XXAZ0000000

For firewalls in high availability, since the identifier has to be the same for both appliances, you are advised to use the name of the authentication portal’s certificate (CN) entered in the Captive portal tab in the Authentication module.

SPNEGO can be configured on the firewall with the options explained in the table below:

Service name This field represents the name of the Kerberos service used by the firewall, obtained after the spnego.bat script has been executed.
Domain name Kerberos server’s domain name. This domain name corresponds to the full name of the Active Directory domain. It has to be entered in uppercase.
KEYTAB This field represents the shared secret, generated when the script is used on Active Directory. This secret has to be provided to the firewall so that it can communicate with Active Directory. It is also provided by the spnego.bat script