{{ $t('productDocDetail.updateTime') }}: 2025-12-29

Domain server login script (logon.exe) and logout script (logoff.exe) are configured. When a user logs in to or logs out of the domain, the login or logout script is executed according to a delivered domain policy to log in or out of the user at the device.

See the following figure.

The process is as follows:

1. The PC requests domain login.

2. The domain server returns login success information to the PC.
3. The PC executes the logon.exe script and reports the domain login success information to the device.

Configuration: The users in the intranet segment 192.168.1.0/24 must adopt the AD domain SSO authentication mode. After they are authenticated, the users use domain accounts to access the Internet. In addition, users and IP addresses are bound automatically. When SSO fails, the authentication page is displayed for users to enter AD domain accounts and passwords for authentication.

Step 1.Navigate to Access Mgt > Authentication > Web Authentication > Auth Server and add the LDAP Server.

Step 2.Set the authentication policy. Choose Access Mgt > Authentication > Web Authentication > Authentication Policy. Set the authentication policy according to the IP or MAC addresses of the users who require SSO.

Set the objects:

Setting the authentication method:

Set the Action:

Click OK.[A343]

Enable SSO, select the SSO mode, and set the shared key. Choose Access Mgt > Authentication > Web Authentication > Single Sign-On (SSO) > MS AD Domain, and select Enable Domain SSO.[A344]

Step 3.Select Auto Deliver Scripts, Execute Specified Login Script, and Obtain Login Information, which indicates the SSO is implemented by delivering the login script. Enter the shared key in Shared Key. See the following figure.

The shared key is used to encrypt the communication between the device and the AD domain server and must be specified exactly the same in the login script. Click Download Domain SSO Program to download the login and logout scripts.

Step 4.Configure the login script on the AD domain server.

1. Log in to the domain server and choose Server Manager on the menu, as shown in the following figure.

2. Select Manage Users and Computers in Active Directory.
3. In the displayed window, right-click the domain to be monitored and choose Properties.

4. In the displayed window, click Group Policy. Double-click the group policy Default Domain Policy.

5. In the displayed Group Policy Object Editor window, choose User Configuration > Windows Settings > Scripts (Logon/Logoff).

6. Double-click Logon on the right. In the displayed Logon Properties window, click Show Files in the lower-left corner. A directory is opened. Save the login script file in the directory and close it.

7. In the Logon Properties window, click Add. In the Add a Script window, click Browse, choose the login script file logon.exe, and enter the IP address of the device, port number (fixed to 1773 and 1775 for IPv4, or to 1775 for IPv6), and shared key (exactly the same as that configured on the device). The parameter values must be separated by space. Click Apply and then OK. Then close the windows one by one.

Step 5.Configure the logout script on the LDAP. The logout script helps users who are logged out of the domain server log out of the device.

1. Perform the steps for configuring the login script. In step 6, double-click Log off instead.

2. In the displayed Logoff Properties window, click Show Files in the lower-left corner. A directory is opened. Save the logout script file logff.exe in the directory and close it.

3. In the Logoff Properties window, click Add. Add a Script window, click Browse, choose the AD logout script file logoff.exe, and enter the IAG IP address specified during the logout script parameter configuration. Close the pages one by one.

4. Choose Start > Run. Enter gpupdate and click OK. The group policy takes effect.

Step 6.Log in to the domain on a computer. If the login is successful, you can access the Internet.