Adding or Editing a Domain with Active Directory Authentication

To configure Windows Active Directory authentication

1. Click Add Domain or the Configure icon for the domain to edit. The Add Domain or Edit Domain window is displayed. If adding the domain, select Active Directory from the Authentication type drop-down menu. The Active Directory configuration fields are displayed.

   

2. If adding the domain, enter a descriptive name for the authentication domain in the Domain name field. This is the domain name users select to log in to the SMA appliance portal. It can be the same value as the Server address field or the Active Directory domain field, depending on your network configuration.
3. Enter the Active Directory domain name in the Active Directory domain field.
4. Enter the IP address or host and domain name of the Active Directory server in the Server address field.
5. Enter the IP address or host and domain name of the backup server in the Backup Server address field.
6. Enter the username for login in the Login username field.
7. Enter the password for login in the Login password field.
8. Optionally select Allow password changes. Enabling this feature allows a user to change their password through the Virtual Office portal by selecting Options on the top of the portal page. User must submit their old password, along with a new password and a re-verification of the newly selected password.
9. Optionally select Use SSL/TLS. This option allows for the needed SSL/TLS encryption to be used for Active Directory password exchanges. This check box should be enabled when setting up a domain using Active Directory authentication.

10. Optionally select Enable client certificate enforcement to require the use of client certificates for login. By checking this box, you require the client to present a client certificate for strong mutual authentication. Two additional fields appear:

    • Verify username matches Common Name (CN) of client certificate – Select this check box to require that the user’s account name match their client certificate.
    • Verify partial DN in subject – Use the following variables to configure a partial DN that matches the client certificate:
      • Username: %USERNAME%
      • Domain name: %USERDOMAIN%
      • Active Directory username: %ADUSERNAME%
      • Wildcard: %WILDCARD%
11. Select Delete external user accounts on logout to delete users who are not logged into a domain account after they log out.
12. Select Only allow users listed locally to allow only users with a local record in the Active Directory to login.

13. Select Auto-assign groups at login to assign users to a group when they log in.

    Users logging into Active Directory domains are automatically assigned in real time to Secure Mobile Access groups based on their external AD group memberships. If a user’s external group membership has changed, their Secure Mobile Access group membership automatically changes to match the external group membership.

14. Optionally, select One-time passwords to enable the One Time Password feature. A drop-down menu appears, in which you can select User discretion, Use E-mail, Use Mobile App. These are defined as:

    • User discretion – Users in this domain can edit one-time password settings from the Portals > Domains > Add Domain page.
    • Use Mobile App – Optionally select Use Mobile App to enable this one-time password method to force users to use a one-time password. Users can use Google Authenticator, Duo Mobile, or any other compliant two-factor authentication service.

15. If you selected if configured or required for all users in the One-time passwords drop-down menu, the Active Directory AD e-mail attribute drop-down menu appears, in which you can select mail, mobile, pager, userPrincipalName, or custom. These are defined as:

    • mail – If your AD server is configured to store email addresses using the “mail” attribute, select mail.
    • mobile or pager – If your AD server is configured to store mobile or pager numbers using either of these attributes, select mobile or pager, respectively. Raw numbers cannot be used, however, SMS addresses can.
    • userPrincipalName – If your AD server is configured to store email addresses using the “userPrincipalName” attribute, select userPrincipalName.
    • custom – If your AD server is configured to store email addresses using a custom attribute, select custom. If the specified attribute cannot be found for a user, the email address assigned in the individual user policy settings is used. If you select custom, the Custom attribute field appears. Type the custom attribute that your AD server uses to store email addresses. If the specified attribute cannot be found for a user, the email address is taken from their individual policy settings.

    If you select using domain name, an E-mail domain field appears following the drop-down menu. Type in the domain name where one-time password emails are sent (for example, abc.com).

16. Select the type of user from the User Type drop-down menu. All users logging in through this domain are treated as this user type. The choices depend on user types defined already. Some possible choices are:

    • External User – Users logging into this domain are treated as normal users without administrative privileges.

    • External Administrator – Users logging into this domain are treated as administrators, with local Secure Mobile Access admin credentials. These users are presented with the admin login page.

      This option allows the Secure Mobile Access administrator to configure a domain that allows Secure Mobile Access admin privileges to all users logging into that domain.

      SonicWall Inc. recommends adding filters that allow administrative access only to those users who are in the correct group. You can do so by editing the domain on the Users > Local Groups page.

    • Read-only Administrator – Users logging into this domain are treated as read-only administrators and can view all information and settings but cannot apply any changes to the configuration. These users are presented with the admin login page.
17. Click Accept to update the configuration. After the domain has been added, the domain is added to the table on the Portals > Domains page.