This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.
You can use Kerberos Authentication Scripts to authenticate Windows and macOS users who are members of an Active Directory domain.
When a user signs in, the scripts tell Smoothwall that the web proxy doesn’t need to ask the user for their identity. The sign-in refreshes automatically every two minutes.
Important
- These scripts don’t include error handling, so any errors are ignored.
- These scripts can’t be used for parent and child Appliances in a cluster - contact Smoothwall Support.
- These scripts don’t support Fast User Switching - contact Smoothwall Support.
Before you begin
- You must have a Web proxy authentication policy to map IP addresses to users. You can use Core authentication, or any Authentication method with ‘redirect’ in the name.
- You must have a Smoothwall access rule to allow access for the Kerberos Login (814) service.
- Your On-Premise Appliance’s hostname must be a Fully Qualified Domain Name (FQDN).
- Adjust any logon script delay on devices to no more than ten seconds, to prevent unauthenticated browsing.
- Devices must not be multi-homed or dual-stacked.
Windows devices
- Go to software.smoothwall.com
- Under On-Premise Appliance Kerberos Authentication Scripts select Windows Scripts.
- Edit the scripts to suit your organisational needs, such as replacing fields with network-appropriate hostnames and domain names.
- Use Group Policy Object (GPO) Manager to set background_logon.vbs as a logon script.
- Use GPO Manager to install the background_logon and logon_loop scripts into the domain's NETLOGON share, ensuring they are always available to all domain controllers.
- Sign in to On-Premise Appliance and ensure you are authenticated on the User Activity page.
macOS devices
- Go to software.smoothwall.com
- Under On-Premise Appliance Kerberos Authentication Scripts select macOS Scripts.
- Edit the two values in the ProgramArguments section of the com.smoothwall.kerberoslogin.plist file to suit your organisation’s needs:
- Replace <string>/path/to/mac-client</string> with the path to the mac-client file: <string>/usr/local/bin/mac-client</string>
- Replace <string>http://smoothwall:814/</string> with the IP address of your Smoothwall On-Premise Appliance.
- Use your Mobile Device Management (MDM) system to install the mac-client script to /usr/local/bin on the client device.
- Use your MDM to install the kerberoslogin script to /Library/LaunchAgents on the client device.
Tip
You can rename the com.smoothwall.kerberoslogin.plist script, for example to com.mydomain.kerberosscript.plist. If you change the name, update the mac-client script to reference the new name.
- Set the permissions for the scripts by logging into the terminal and running the following commands:
- sudo chown root:wheel /Library/LaunchAgents/com.smoothwall.kerberoslogin.plist
- sudo chmod 644 /Library/LaunchAgents/com.smoothwall.kerberoslogin.plist
- sudo chown root:wheel /Library/mac-client
- sudo chmod 755 /Library/mac-client
- Reboot the macOS device and sign in as an Activity Directory user.
- Sign in to On-Premise Appliance and ensure you are authenticated on the User Activity page.