Active Directory User Authorization


Import accounts from Active Directory, see Import of Users for details.


Setting up user authorization

For users imported from Active Directory, all types of user authorization are available. The most commonly used user authorization options are Single Sign-On authentication via Active Directory using Kerberos/NTLM for authorization via a web browser and authorization via the Active Directory security log (simultaneous use of both types of authorization is recommended).


Setting up SafeUTM

To enable Single Sign-On Authentication and Authorization through the Active Directory Security Log, go to the Users -> Authorization -> General tab and enable these authorization types. Next, click the Save button.
1. Active Directory User Authorization.png

After filling in the Domain name field and saving the settings, a Let’s Encrypt certificate will be issued and the user will be redirected to the authorization window, bypassing the security exception page.
If a certificate for such a domain has already been loaded in the TLS Certificates section, then it will be used and a new certificate will not be issued.


Configuring user computers and domain policies

Authorization via Active Directory security log

Supported starting with the 2008 standard edition domain controller.

For authorization through the security log to work, you must configure the following settings on the primary domain controller:


Web Authorization (SSO or NTLM)

For authorization to work through a web browser (using Kerberos or NTLM), you need to configure Internet Explorer (other browsers pick up its settings). Be sure to use these settings, even if users usually log in through the security log, in some cases they will need to log in through the browser.

In order to configure authorization through a web browser, you must perform the following steps:

  1. Go to your browser's properties and go to the Security tab.
  2. Select Local Intranet -> Sites -> Advanced.
  3. In the window that opens, add a link to SafeUTM under the name under which you entered it into the domain. You need to specify two URLs: with http:// and with https://

In the screenshot below, SafeUTM is entered into the example.com domain under the name safeics.
4. Active Directory User Authorization.png

Also, this setting can be made using Active Directory group policies for all users at once. To do this, you must perform the following steps:

  1. In group policies for users, go to: Default Policy Group > Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List
  2. Enter the zone assignment for the SafeUTM DNS name (safeics.example.com in the example) with a value of 1 (intranet). It is necessary to specify two destinations, for schemes of work on HTTP and HTTPS.

    5. Active Directory User Authorization.png

When entering an HTTPS site, for authorization, you must allow the browser to trust the SafeUTM certificate (in order not to do this every time, you can add the SafeUTM root certificate to the trusted root certificates of the device. For example, using domain policies). You can also use scripts to automatically authorize users upon login.

On the Mozilla Firefox browser settings page (about:config in the address bar), configure the following settings:

Also, for users imported via AD, the following authorization methods are possible:


Configuring user authorization for direct connections to a proxy server

Setting up transparent user authorization for direct connections to a proxy server is similar to setting up transparent Single Sign-On authorization described above in the instructions. The only difference is that the proxy server address is not the IP address of SafeUTM, but its DNS name.


Configuring the Mozilla Firefox browser for authorization via NTLM when connecting directly to a proxy server

For computers that are not in the Active Directory domain, if they need to be authorized under a domain user account, configure the following settings on the Mozilla Firefox browser settings page (about:config in the address bar):

Do not disable these options for computers that are members of an Active Directory domain, as in this case, the outdated NTLM authorization method will be used.


Possible causes of authorization errors


Revision #6
Created 24 August 2022 22:31:20 by Val Redman
Updated 13 October 2022 14:46:34 by Val Redman