Description:

Some scenarios require the Unified Firewall to assign special permissions to certain users or user groups, for example to access a specific network. The Single Sign-On (SSO) feature allows users to use one set of credentials to log in to multiple applications (domain login and Unified Firewall login). The Active Directory server reports successful domain authentications to the Unified Firewall, whereupon the latter assigns the configured permissions to the users.     

This article describes how the Single Sign-On feature is implemented via a Unified Firewall using the group policies of an Active Directory server.

The screenshots of the Windows Server installation are only available in german.

In order for Single Sign On to work the option Allow login in the used network object has to be active. As this option is active by default, usually no changes should be necessary.

User groups must not be configured in the Unified Firewall but have to be imported from the Active Directory instead. If a user group is created in the Unified Firewall and an AD user is assigned to the group, this can otherwise lead to a termination of the SSO client connection and the connection not being functional after a reconnect!


Requirements:

  • Unified Firewall with LCOS FX as of version 10.4
  • Previously configured and functional local network including Internet connection
  • Windows Server with configured and functional Active Directory 
  • The Single Sign-on client for user authentication by Single Sign-On (you need access to Firewall License Portal in the LANcommunity portal first)


Scenario:

Users log in to the domain with their end devices. The appropriate permissions are automatically assigned by the Unified Firewall.


Procedure:

1) Configuration steps on the Windows Server:

This scenario was tested with a Windows Server 2019 system on a Windows Server 2016 domain functional level. The instructions refer to this version accordingly. 

1.1) Setting up a user for the Unified Firewall on the Windows Server:

1.1.1) On the Windows Server, open the menu Active Directory Users and Computers and go to the submenu <domain-name> → Users → New → User to create a new user.

Screenshot of an Active Directory user and computer management interface displaying various settings including security groups, DNS administration options, and resource property lists.

1.1.2) Modify the following parameters and then click Next:

  • First name: Enter the name gpLogin.
  • Full name: Enter the name gpLogin.
  • User logon name: The user logon name must be specified in the format <full-name>/<firewall-hostname> (in this example gpLogin/rsuf). 
  • User logon name (pre-Windows 2000): Delete the firewall hostname so that only the full name is stored (in this example gpLogin).

Entries are case sensitive!      

If you have changed the hostname of the Unified Firewall in the menu Firewall → General Settings, this must be entered here accordingly.

Image shows a screenshot of a computer interface possibly displaying user login or settings options in German.

1.1.3) Adjust the following parameters so that the user is permanently valid and then click Next:

  • Enter the password.
  • Uncheck the box User must change password at next logon.
  • Set a checkmark for Password never expires.

1.1.4) Click on Finish to close the wizard.

Screenshot of a user interface for creating a new user object, showing fields for complete name and login name.


1.2) Associating the Service Principal Name to the Unified Firewall user:

The Service Principal Name (SPN) must be linked to the users for the Unified Firewall created in step 1.1.

On the Windows server, open the command line or Powershell with administrator rights and run the command setspn -A gpLogin/<firewall-hostname> gpLogin (in this example setspn -A gpLogin/rsuf gpLogin).

Image shows a technical screen with coded labels possibly relating to user interface settings or configurations.


1.3) Provide the “UAClientSSO” file on the domain’s SYSVOL shared folder:

The application UAClientSSO is required for users to log in to the Unified Firewall via Single Sign-On.

Make the file UAClientSSO available in your domain’s shared folder. This is under the path \\<domain-name> \SYSVOL\<domain-name>\scripts (e.g \\ripshock.local\SYSVOL\ripshock.local\scripts). 

Screenshot of a computer interface showing file details including names, modification dates, types, and sizes, with options for quick access and a search application.


1.4) Create the group policy for Single Sign-On authentication:

1.4.1) Open the Group Policy Management, right-click on the domain and create a New Group Policy Object with a descriptive name (in this example SSO). 

Screenshot of a Group Policy Management interface displaying options such as domain structures, Group Policy Objects, and modeling results.

1.4.2) Right-click the Group Policy Object created in step 1.4.1 and select Edit from the context menu.

Image displaying a complex technical interface for Group Policy Management, featuring various menu options such as File, Action, View, and Windows, with highlighted domain and default policy settings.

1.4.3) Go to the menu User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff) and double-click Logon.

An image displaying the interface of the Group Policy Editor with various configuration options including computer configuration, user configuration, security settings, software settings, and administrative templates.

1.4.4) Click Add.

The image displays a complex user interface, possibly of a technical or software system, featuring multiple configuration options and settings, as indicated by partially visible texts and menu items.

1.4.5) Modify the following parameters:

  • Script name: Enter the full path to the shared folder with the UAClientSSO application that you provided in the domain shared folder in step 1.3. The path is specified in the format \\<domain-name> \SYSVOL\<domain-name> \scripts\UAClientSSO.exe(e.g \\ripshock.local\SYSVOL\ripshock.local\scripts\UAClientSSO.exe).
  • Script parameters: Enter the firewall hostname followed by the Unified Firewall IP address. The two parameters must be separated by a space. The input must be in the format <firewall-hostname> <IP-address of the firewall> (e.g rsuf 192.168.10.1).

Screenshot of a user interface displaying options for adding a script and configuring script parameters in a software application.

1.4.6) Go to the menu Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options → Network security: Configure encryption types allowed for Kerberos and enable the following encryption algorithms:

  • AES128_HMAC_SHA1
  • AES256_HMAC_SHA1
  • Future encryption types

A screenshot of a detailed computer configuration interface displaying various security and network policies, including user account control settings and auditing policies.



2) Configuring the Single Sign-On feature on the Unified Firewall:

2.1) In your browser, open the configuration interface for the United Firewall and switch to the menu item User Authentication → Internal Portal → Settings.

Image displaying a technical user interface with options for activating hot firewall, monitoring network statistics, user authentication, and configuring internal and external portals among other settings.

2.2) Activate the login function via the slider button and click Save.

Screenshot of a software configuration menu showing options for login settings, certificate details, and web portal preferences.

2.3) Go to the menu User Authentication → LDAP/AD.

Image of a technical configuration menu displaying options such as Activate Firewall, Monitoring Statistics, Network, Desktop, User Authentication, API, and External Portal.

2.4) From the drop-down menu for Server Type, select the option Microsoft Active Directory Server and adjust the following parameters:

  • Host: Enter the IP address of the Windows server with the Active Directory (in this example 192.168.10.2).
  • Port: Leave the port at the default value 389 or change it if you have changed it on the Windows Server.
  • User Name: Enter the user gpLogin as used by the Unified Firewall to log in to the Active Directory (see step 1.1.2).
  • Password: Enter the password that you set in step 1.1.3.
  • Domain Name: Enter the domain name of your Active Directory (in this example ripshock.local).

Image displaying a technical configuration interface for LDAP and Kerberos authentication settings, including server types, usernames, and domain details alongside access rules for internal and external network portals.

2.5) Click the button Test AD settings to ensure that the Active Directory login is working.

After testing successfully, click Save.

Screenshot of a technical configuration interface showing LDAPAD settings, user authentication options, and server details for network access control.

2.6) Open the menu LDAP/AD again and go to the Kerberos tab.

  • Set the checkmark Active to activate Kerberos.
  • Afterwards, click Create Kerberos Key and then Save

Screenshot of a technical configuration interface detailing user authentication settings, including LDAP AD configuration, Kerberos key service setup, and portal access options for internal and external networks.



3) Authenticating a device:

If a user logs in to the domain with his end device, the permissions are automatically assigned by the Unified Firewall and communication in the permitted networks is possible.

 


 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH