All Topics » Pulse Policy Secure

UAC User Role - How to Setup AD
Contributor (11)
Feb 21, 2014 7:47am



I try to configure user role firewall on MAG 2600 with MAGx600-UAC-SRX license. I am using the Windows Server 2008R2 and UAC 4.4. I want to setup SSO using SPENGO protocol. Can someone explain me the steps how to configure Active Directory? I want to know the exact steps I should perform on AD. How to setup "DNS" and "User and Computers" settings and use of "ktpass" command on AD?



Arslan Nawaz



Contributor (11)
Feb 23, 2014 11:46pm

Hi Arslan Nawaz,

The below information on AD configuration should help for SPNEGO :


On Active Directory, there are two steps that must be performed:
Create a dedicated user for the SPN.

Add the SPN to this user using 'ktpass.exe' (this will generate the keytab).


NOTE: You must set a password for the user. User must change password on next logon should not be enabled, and Password neverexpires should be enabled.


The SPN must be added in this format: HTTP/hostname@REALM. The SPN iscase sensitive. Note the order of uppercase, lowercase and upper case.


For Active Directory 2008, the commands 'ktpass' and 'setspn' are already installed. For Active Directory 2003, an add-on pack is required. Before adding the SPN, it's a good idea to make sure it doesn't already exist. This will help avoid ticket decryption issues on Junos Pulse Access Control Service. On the endpoint, the MAG Series device must be added as a trusted host(with Internet Explorer or Firefox). This can also be done with an Active Directory group policy. Without this, the browser will not participate in SPNEGO.


On the MAG Series device, you must upload the keytab file and verify thatthediode turns green (indicating a successful join).SPNEGOdoes not workunless the diode is green.


Sample Active Directory Commands

To search for a particular SPN:
C:>setspn -Q HTTP/
To search for all the SPNs of user 'spnuser':
C:>setspn -Lspnuser
To delete this SPN of user 'spnuser':
C:>setspn -d HTTP/ spnuser
In this example, the MAG Series device FQDN is: and the
AD realm is: ABC-DOMAIN.LAB.JUNIPER.NET. This adds an SPN to the user:

Additional Information


The 'kerbtray.exe' program is helpful for viewing and deleting Kerberos tickets on the endpoint.Old ticketsmust be purgedfromthe endpoint ifSPNs are updatedor passwords
are changed (assuming the endpoint still has a cached copy of the ticket from a prior SPNEGOrequest to the MAG Series device. During testing,you should purge tickets before
each authentication request.


A similar program to 'kerbtray.exe' is klist.exe. This is a command line program to view and purge tickets. This can be downloaded from Microsoft's site.
When troubleshooting, Juniper Network recommends that you restart the browser between auth requests to avoid cache issues.


If Internet Explorer pops-up a Windows dialog box during authentication, this signifies that the ICisn't trusted for SPNEGO. You should add the MAG Series device FQDN underOptions -> Security -> Local Intranet -> Sites ->Advanced.

In Firefox, you can install the 'Live HTTP Headers' plug-in to monitor HTTP traffic. You should verify that the ticket is being sent as base64 data. To add the MAG Series device as a trusted host in Firefox, load URL about:config in the address window and set:network.negotiate-auth.trusted-uris.

Note: If I have answered your questions, you could mark this post as accepted solution, that way it could help others as well. Kudo will be a bonus thanks!


    Contributor (11)
    Correct Answer
    Feb 24, 2014 4:24am

    Dear Kalagesan


    I already read these details on User Role Firewall documentation. Actually I confuse about AD configuration. I am not much familiar with AD just know the basics. Suppose the hostname of my MAG device is ic2600 with domain I create a dns entry and map the entry with the ip address of my MAG device. The documentation is saying to perform these steps on AD.



    1. Add a DNS entry as the UAC service account in the Forward Lookup Zones. In this way clients can refer to the MAG Series device by name or by IP address.

    This UAC service account name will be used in the next section when reconfiguring the UAC service on the MAG Series device.


    2. Single sign-on authentication requires that the UAC service account password never expires. To modify user settings:

    From the Active Directory Users and Computers application in DNS, select Users>New>User and select the UAC service account created in step 1.

    Select the Account tab.

    In user settings, click Password Never Expires.


    3. Create SPNEGO Keytab File: On the Domain Controller, open a command line, and enter the ktpass command to create the SPNEGO keytab file.



    As I mention I create the DNS entry of my ic2600 device. Can you expain what the SPN actually is and how can I create the SPN user? What is the UAC service account and how it is created?  Can you explain step 2 in more detail?


    Many Regards