Authenticating Web Browsing With Your Windows Domain


Summary

SecureSchool supports several authentication methods for differentiating between groups of users, and filtering them each differently.  The benefits of this are you can have very tight filtering for students, while allowing staff to go to sites that would typically be blocked for students.  Additionally, when using authentication you can search the logs for a username and find out where that user went.

When you have a Windows based domain, SecureSchool can join to that domain and query group memberships to determine how to filter your users.  The way this works is when a user tries browsing the Internet, SecureSchool asks a domain controller what groups that user is a member of, then compare that list to a list of filter sets defined in SecureSchool.  When it finds a match, that's how it will filter that user's web traffic.

There are two different methods we have to do authentication using a Windows domain: "NT/2000" and "NTLM".

  • Using "NT/2000", every time a user opens up a new browser window, they are prompted to enter their username and password before they can browse.
  • Using "NTLM", if the user uses a supported browser (currently Internet Explorer or Mozilla Firefox), and is logged onto a Windows computer using their domain credentials, the information about the user is sent automatically in the background to SecureSchool, and no user interaction is required.  If the user did not logon using a domain account, is using an unsupported browser, or is using a computer that is not joined to the domain, they are prompted to enter their domain username and password.

Applies To

SecureSchool, ISBossBox, LibraryDoor, Microsoft Windows.

More Information

There are several steps that need to be done in order to make authentication work well.  First and foremost, you need to decide how you want to filter your users.  In a school environment, you'll probably want one filter set for your students, one for your teachers, and another for administration.  In a business, you'll probably want one filter set for employees, and another for administration.  In a library, you'll probably want a filter set for patrons, one for the staff, and another one for the administration.  You can always add or delete filter sets as you need them, but remember that the more filter sets you have, the harder it is to maintain and the longer restarts will take if you make a change to every filter set.  For example, you may have one staff member that needs to get to www.staples.com to order office supplies, so you may be inclined to make a separate filter set just for that one person.  However, does it really hurt anything letting all the staff get to www.staples.com?

Creating groups in Windows

Once you decide on your different filtering levels, you need to set them up in your domain.  SecureSchool looks at the security groups of a user.  Each user needs to be a member of one and only one group that matches up with a filter set.  The names cannot have spaces, and must be unique.  If a user is not in a group that matches a filter set name, they are denied access to the web.  For this reason, we recommend you create entirely new groups that are only used for Internet filtering purposes.  To make it easy, follow a naming scheme like "SSB_Staff", "SSB_Students", "SSB_Administrators", "SSB_Patrons", and so on.  If you prefix all your filtering groups with "SSB_", it makes them easier to find, and easier to diagnose potential problems.  Also, if you have a bad user, it's easy to go down the list of groups a user is in and just look for groups that start with "SSB_" and remove them from those groups to stop their web browsing.

To create the groups, first go to "Start" -> "Programs" -> "Administrative Tools" -> "Active Directory Users & Computers".  In the left pane, select the OU you want to place the group in, then in the right pane, right click in some empty space and go to "New" -> "Group".  You'll be shown a dialog box like this:

  • For "Group name", enter the name of the filter set you want to define in the domain, for example "SSB_Staff"
  • The "Group name (pre-Windows 2000)" field should be filled in automatically with the same thing.  If it's not, fill it in.
  • For "Group Scope", select "Global"
  • For "Group Type", select "Security"

When the dialog box is filled in, click "OK.  Now repeat that process for any other groups / filter sets you want to add.

Adding Users To A Group

Once the groups are defined, you now need to put users into them.  We strongly urge you to not simply place these new groups into existing groups.  Doing this will eventually (if not right away) cause "collisions", where a user ends up in two filter sets, or will cause you to be limited to who you can put in which filter set.  The simplest way is to just set aside a few minutes to quickly go through your user list and add people to the group.  Many people do not realize you can do this to several users at a time.  (That feature was added in Windows Server 2003)  And if your users are already separated into different OUs, it's even easier.

In the "Active Directory Users & Computers" tool, start by selecting the OU some of your users are in.  Next, select the users you want to add to that group by either:

  • holding the CTRL key down and clicking on each user
  • Click on the first user in the list, then scroll down to the last user you want to modify, press and hold the Shift key, then click the user.  That will select all users between the two "points" in the list.

Next, right click any name on the list, and click on "Add to Group...".  This will open a dialog box that will allow you to type in the group name you want to add them to.  Simply type in the name of the group, then click "OK".  Repeat this until all your users are done.  Remember that any user not in a group that matches up with a filter set will not be able to browse.  So if you have a user that right away says that they cannot get to the Internet, check their group membership first.

Note: SecureSchool caches group membership information for about 15 minutes.  This means that if you change the group membership of an account, it may take 15 minutes for SecureSchool to acknowledge the change and filter the user the new way.

Adding filter sets in SecureSchool

Now that you have groups, and your users are in those groups, you can start setting up the Filter Sets in SecureSchool.  To do this, go to "User Auth" -> "Filter Sets".  Here, you'll get a page that looks similar to this:



For your first Filter Set, we want to modify the starter Filter Set named "SSB_Users".  This is the filter set that is used when no authentication method is selected.  For this reason, you want this to be your most restrictive filter set (SSB_Students, SSB_Patrons, etc).  To edit this filter set and "convert" it, simply click on the name of the "SSB_Users" Filter Set.  This will give you a form to edit the Filter Set.

  • Change the name of the Filter Set to whatever Filter Set you want to be the fall-back
  • Verify that the "People in this Filter Set are:" is set correctly
  • Click on "Save Changes"

Now that the first Filter Set is done, we need to add the others.  To add a Filter Set, on the white bar click on "Add a Filter Set".  You'll then get a form like this:


  • For the "Filter Set Name", enter the name of the Filter Set you want to create.  This should exactly match the name of the group you made in Active Directory.
  • "Copy This Filter Set From" will use the existing settings of another Filter Set when it creates this one.  You probably want to pick "SSB_Students", or whatever you just renamed the "SSB_Users" Filter Set to.  By copying the existing Filter Set, you start the new one with all the changes you've already made.

Once the information on the form is correct, click on "Submit".  Repeat this for each Filter Set you want to create.

Setting the Domain Specific Name Server

So the security groups are in Active Directory, your Filter Sets are created, now you need to actually join SecureSchool to the domain.  First, you need to tell SecureSchool to point DNS queries for you domain to you Domain Controller.  To do this, go to "Setup" -> "Domain Specific Name Servers" -> "Add".  You'll get a form that looks like this:

  • In the "Domain Name" field, enter the DNS name for your domain (for example, "mydomain.internal")
  • In the "DNS Server X" fields, enter each of your DNS servers.  If you only have one, that's fine.

When the form is complete, click on "Submit".

Now, you need to commit these changes before we go any further, so that SecureSchool knows how to talk to your DNS servers.  So go to "Commit Changes" then restart.  At this point, the appliance is still not authenticating any web browsing.  So if you missed a step, or want to take a break, now would be a good time.

Setting the Time on the Domain Controllers

Next, you need to make sure everything is in sync with the system clocks.  Please read http://kb.k12usa.com/Knowledgebase/Windows-Time-Service-Synchronization for how to do this.

Joining the Domain

Before you proceed, make sure the following is done:

  • All your Filter Sets are created in "User Auth" -> "Filter Sets"
  • All those Filter Sets have matching "Global Security Groups" in your Active Directory
  • All of your users are in one and only one global security group that matches up with a Filter Set  (This does not mean that they have to be in only one group total.  Just that they must be in only one group that has the same name of a Filter Set, for example, SSB_Staff)
  • Your domain and DNS servers are listed under "Setup" -> "Domain Specific Name Servers" -> "List"
  • All of your domain controllers have been configured to use SecureSchool as their time source

If all the above is done, then go to "Setup" -> "Authentication Method" -> "Settings".  Switch the radio button to the choice for either "NT/2000" or "NTLM" depending on which method you want to do.  On the top of the right side, select your server type (either "Windows NT" or "Windows 2000/2003")  You will then get a form that looks like this:

  • For "Domain Name", enter your domain's DNS name (for example, "mydomain.internal")
  • For "Netbios Domain Name", enter the Netbios name for your domain (for example, "mydomain")
  • For "Domain Server Name", enter the fully qualified DNS name for your domain controller (for example, "server.mydomain.internal")
  • For "Domain Server IP", enter the IP address for the domain controller you just specified
  • For "Netbios Name for SecureSchool", leave it at "SECURESCHOOL"
  • For "Domain Admin Username", enter an administrative username (for example, "administrator")
  • For "Domain Admin Password", enter the password for the above account

Once the form is filled in correctly, click on "Join Active Directory".  You should then get a green bar saying "Joined Domain Successfully", or a red bar with an error.  If you need help with the error, please call us.

Once you are joined successfully, go to "Commit Changes" and restart whatever is needed.  You're users are now browsing using authentication.

Editing Filter Sets Filtering Settings

Now to edit the individual Filter Set settings, go to "Website Filtering", then in the white bar there is now a drop down menu to select which Filter Set you want to work on.  This drop down menu also exists in the "Content Filtering" top level tab.