Microsoft Active Directory (MSAD) is a directory service that allows authentication and authorization of network users. On the Barracuda CloudGen Firewall you can configure MSAD as an external authentication scheme. MSAD is included with all Windows Server operating systems since Windows 2000 Server. For MSAD authentication, you can also configure the Barracuda DC Agent, which allows transparent authentication monitoring with the Barracuda CloudGen Firewall and Microsoft® domain controllers.
Before You Begin
If MSAD is running in native mode on a Windows 2003 Server domain, you must deactivate Kerberos pre-authentication for each user.
To use services such as VPN, you might need to gather group information. The distinguished name (DN) containing the group information is needed for external authentication using MSAD and LDAP (see also How to Configure LDAP Authentication). To gather group information from MSAD:
- Go to My Network Places > Search Active Directory.
- Select the searching domain.
- Enter the name of the user you are searching for and click Find Now.
- After you have found the user, add the X500 Distinguished Name column.
- Select View > Choose columns.
- Select X500 Distinguished Name.
- Click Add.
The DN is displayed in the search results.
Configure MSAD Authentication
Configure the Barracuda CloudGen Firewall to allow authentication and authorization of domain users on a Microsoft Active Directory (MSAD) server. To reduce load querying for large environments, you can also filter unwanted group membership information by creating group filter patterns.
- Go to USERS > External Authentication.
- Click the Active Directory tab.
- In the Basic section, click Add.
- Enter the Domain Controller IP address.
In the Searching User field, enter the MSAD Searching User in the
- Enter the Searching User Password.
Specify the Base DN where the lookup should be started. E.g.,
Set Cache MSAD Groups to Yes to reduce network traffic and server load on the domain controller.
- Select Use SSL if your Active Directory server is configured to use SSL.
(Optional) Select Follow Referrals to use Active Directory's global catalog and follow the referrals. When a requested object exists in the directory but is not present on the contacted domain controller, the referral gives the client a location that holds the object or is more likely to hold the object. It is also possible for the referred-to domain controller to refer to a next hop location. The number of next hops is defined in Maximum Hops for Referrals.
- Click Save.
- (Optional) Add Group Filter Patterns to filter unwanted group information. Wlldcards are allowed.
Example: When using pattern: *SSL*, and the following group membership strings are used:
User01 group membership string:
User02 group membership string:
Only User02 will match.
- Click Save.
The configuration is now added to the Existing Authentication Services table and you can use the MSAD authentication service on the CloudGen Firewall.
To test, if the connection is working, try to login as the user from another network host. When a user, for whom the authentication scheme applies, logs into the network, a log entry is created showing the login details such as source address, success or failure, time, etc. To access authentication logs, go to the LOGS page.
If the connection cannot be established:
- Make sure that you have entered the MSAD searching user in the Searching User field in the correct format:
user@domain. Do not use the
- Verify that the entry for the Base DN where the lookup should be started does not contain spaces.
- Check the Logs > Auth page for error messages when connecting to your Active Directory server.
MSAD Authentication against Azure AD
MSAD authentication against an Azure AD is possible, when the Azure AD is configured to use secure LDAP. Use the Active Directory Searching User and Base DN as supplied by Microsoft.
For more information, see the Microsoft article Azure AD - Configure Secure LDAP.