Set up authentication with Kerberos Authentication Scripts – Smoothwall Help Centre

This article applies only to On-Premise Appliance, not to our Cloud products.

You can use Kerberos Authentication Scripts to authenticate Windows and macOS users who are members of an Active Directory domain.

When a user signs in, the scripts tell Smoothwall that the web proxy doesn’t need to ask the user for their identity. The sign-in refreshes automatically every two minutes.

Important

These scripts don’t include error handling, so any errors are ignored.
These scripts can’t be used for parent and child Appliances in a cluster - contact Smoothwall Support.
These scripts don’t support Fast User Switching - contact Smoothwall Support.

Before you begin

You must have a Web proxy authentication policy to map IP addresses to users. You can use Core authentication, or any Authentication method with ‘redirect’ in the name.
You must have a Smoothwall access rule to allow access for the Kerberos Login (814) service.
Your On-Premise Appliance’s hostname must be a Fully Qualified Domain Name (FQDN).
Adjust any logon script delay on devices to no more than ten seconds, to prevent unauthenticated browsing.
Devices must not be multi-homed or dual-stacked.

Windows devices

Go to software.smoothwall.com
Under On-Premise Appliance Kerberos Authentication Scripts select Windows Scripts.
Edit the scripts to suit your organisational needs, such as replacing fields with network-appropriate hostnames and domain names.
Use Group Policy Object (GPO) Manager to set background_logon.vbs as a logon script.
Use GPO Manager to install the background_logon and logon_loop scripts into the domain's NETLOGON share, ensuring they are always available to all domain controllers.
Sign in to On-Premise Appliance and ensure you are authenticated on the User Activity page.

macOS devices

Go to software.smoothwall.com
Under On-Premise Appliance Kerberos Authentication Scripts select macOS Scripts.
Edit the two values in the ProgramArguments section of the com.smoothwall.kerberoslogin.plist file to suit your organisation’s needs:
- Replace <string>/path/to/mac-client</string> with the path to the mac-client file: <string>/usr/local/bin/mac-client</string>
- Replace <string>http://smoothwall:814/</string> with the IP address of your Smoothwall On-Premise Appliance.
Use your Mobile Device Management (MDM) system to install the mac-client script to /usr/local/bin on the client device.
Use your MDM to install the kerberoslogin script to /Library/LaunchAgents on the client device.

Tip

You can rename the com.smoothwall.kerberoslogin.plist script, for example to com.mydomain.kerberosscript.plist. If you change the name, update the mac-client script to reference the new name.
Set the permissions for the scripts by logging into the terminal and running the following commands:
- sudo chown root:wheel /Library/LaunchAgents/com.smoothwall.kerberoslogin.plist
- sudo chmod 644 /Library/LaunchAgents/com.smoothwall.kerberoslogin.plist
- sudo chown root:wheel /Library/mac-client
- sudo chmod 755 /Library/mac-client
Reboot the macOS device and sign in as an Activity Directory user.
Sign in to On-Premise Appliance and ensure you are authenticated on the User Activity page.