It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure MSAD Authentication

  • Last updated on

Microsoft Active Directory (MSAD) is a directory service that allows authentication and authorization of network users. On the Barracuda CloudGen Firewall you can configure MSAD as an external authentication scheme. MSAD is included with all Windows Server operating systems since Windows 2000 Server. For MSAD authentication, you can also configure the Barracuda DC Agent, which allows transparent authentication monitoring with the Barracuda CloudGen Firewall and Microsoft domain controllers. The MSAD authentication service can handle a maximum of 20 AD servers at a time.

Before You Begin 

If MSAD is running in native mode on a Windows 2003 Server domain, you must deactivate Kerberos pre-authentication for each user.  

To use services such as VPN, you might need to gather group information. The distinguished name (DN) containing the group information is needed for external authentication using MSAD and LDAP (see also How to Configure LDAP Authentication). To gather group information from MSAD:  

  1. Go to My Network Places > Search Active Directory
  2. Select the searching domain. 
  3. Enter the name of the user you are searching for and click Find Now
  4. After you have found the user, add the X500 Distinguished Name column.
    • Select View > Choose columns.
    • Select X500 Distinguished Name.
    • Click Add
add_col.pngcol_inf.png

The DN is displayed in the search results.

Configure MSAD Authentication

Configure the Barracuda CloudGen Firewall to allow authentication and authorization of domain users on a Microsoft Active Directory (MSAD) server . To reduce load querying for large environments, you can also filter unwanted group membership information by creating group filter patterns.  

  1. Go to USERS > External Authentication.
  2. Click the Active Directory tab.
  3. In the Basic section, click Add. 
  4. Enter the Domain Controller IP address.
  5. In the Searching User field, enter the MSAD Searching User in the  user@domain format.

    Do not use the domain\user format.
  6. Enter the Searching User Password.
  7. Specify the Base DN where the lookup should be started. E.g., CN=trainee,OU=sales,DC=mycompany,DC=com

    Do not use spaces between the entries.
  8. Set Cache MSAD Groups to Yes to reduce network traffic and server load on the domain controller.
    ad01_67.png
  9. Select Use SSL if your Active Directory server is configured to use SSL.
  10. (Optional) Select Follow Referrals to use Active Directory's global catalog and follow the referrals. When a requested object exists in the directory but is not present on the contacted domain controller, the referral gives the client a location that holds the object or is more likely to hold the object . It is also possible for the referred-to domain controller to refer to a next hop location. The number of next hops is defined in Maximum Hops for Referrals.

  11. Click Save
  12. (Optional) Add Group Filter Patterns to filter unwanted group information. Wildcards are allowed.
    Example: When using pattern: *SSL*, and the following group membership strings are used:
    User01 group membership string: CN=xyz,OU=sales,DC=mycompany,DC=com
    User02 group membership string: CN=SSL,DC=mycompany,DC=com
    Only User02 will match.
  13. Click Save .

The configuration is now added to the  Existing Authentication Services  table, and you can use the MSAD authentication service on the CloudGen Firewall.

ad02_67.png

Troubleshooting

To test if the connection is working, try to log in as the user from another network host. When a user for whom the authentication scheme applies logs into the network , a log entry is created showing the login details, such as source address, success or failure, time, etc. To access authentication logs, go to the LOGS page.

If the connection cannot be established:

  • Make sure that you have entered the MSAD-searching user in the Searching User field in the correct format: user@domain. Do not use the domain\user format.
  • Verify that the entry for the Base DN where the lookup should be started does not contain spaces. 
  • Check the Logs > Auth page for error messages when connecting to your Active Directory server.

MSAD Authentication against Azure AD

MSAD authentication against an Azure AD is possible when the Azure AD is configured to use secure LDAP. Use the Active Directory Searching User and Base DN as supplied by Microsoft.