Integrating Active Directory authentication with a Juniper SA device will allow users to use their AD credentials when signing onto a realm, therefore aiding in the creation of a single sign-on environment.
This is simple to implement on the SA device, although most of the extra configuration work that’s required will have to be performed on the firewalls. Firewall configuration is out of scope for this entry.
1) Select Authentication > Auth Servers > Active Directory/Windows NT > New Server to create a new server entry.
2) Enter the following details:
a. Reference name/label.
b. PDC & BDC details – these can be IP or hostnames. In the case of the later, you must be sure that the SA device has the ability to query a DNS server hosting the internal domain records.
c. Domain name – enter the domain name (local) to which the SA will be querying. This can be in the form of a NETBIOS name rather than the FQDN.
d. Admin credentials – It’s probably best to create a new domain account for the sole purpose of SA integration as this can aid in monitoring. This new account needs to be assigned to the Domain Admins group.
e. Select the appropriate authentication protocol – all can be selected, although NTLM v1 isn’t ideal from a security point of view.
3) Under the Advanced options tab it’s possible to change the container name where the system(s) will be stored (default is the Computers container). You can also alter the name of the SA device.
Once the authentication realm has been configured it’s then possible to assign this to a user realm.
1) Select or create a new user realm.
2) Select General > Servers and alter the authentication server to that of the one previously created. You’ll need to open the appropriate ports on the firewall (assuming the SA device is in a DMZ and the AD server(s) are in different zones) so that a user is able to authenticate. This obviously won’t be an issue if your AD server is in the same zone as the SA(s).