Adding an Active Directory

Prerequisites

  • In your Smoothwall Filter and Firewall, create your local authentication groups, see our help topic, Adding user groups.
  • Check that the primary, and optionally, the secondary DNS server that contains the Active Directory information, is specified correctly. This DNS server is used by the Smoothwall for name lookups.
  • The name of the Active Directory domain. The DNS name is needed (mydomain.local), not the NETBIOS name (mydomain).
  • In Active Directory, choose or configure a non-privileged user account to use for connecting the domain. The Smoothwall Filter and Firewall stores this account’s credentials, for instance, when backing-up and replicating settings.
    • Do NOT use the administrator user as the administrator user often doesn't have a Windows 2000-style username.
    • The account that you use needs permission to modify the Computers container, including being able to create keytab files across the domain or forest. To delegate these permissions to a non-privileged user account, choose Delegate Control on the Computers container, create a custom task to delegate and, for Computer objects, grant the full control, create and delete privileges.
  • Make sure that the time set on the Smoothwall Filter and Firewall, and your Active Directory server are synchronized using NTP. The time differential between the systems needs to be less than five minutes, see our help topic, Setting the system's time and providing a time service.
  • Check that all Active Directory servers have a reverse lookup PTR record in the Active Directory DNS server.
  • Configure the Smoothwall with a host and domain name in Active Directory and add the host name and IP address to forward and reverse lookup zones.
  • Preferred format for normalized usernames: DOMAIN\user

Procedure

  1. On the SERVICES menu, under the Authentication submenu, click Directories.
  2. Click Add new directory and from the Tenants list, select the tenants to use this directory service.
  3. From the Type list, select the "Active Directory" option and enter the full DNS Domain name. Other trusted domains are allowed access automatically.
  4. Enter the Username and Password of the user account and reenter the password to Confirm it.
  5. To change caching behavior, click Advanced options »:
    1. Accept the default of 10 minutes for the Cache timeout (minutes) or specify the length of time the Smoothwall keeps a record of directory-authenticated users in its cache.
    2. To permanently cache group membership information from Kerberos tickets, select the Cache Kerberos PAC groups option.
  6. Enter a descriptive Comment and click Add.

Follow-up task