Showing results for 
Search instead for 
Did you mean: 

Transparent NTLM authentication and Active Directory group enumeration


Here's the situation I have:

I've set up transparent NTLM authentication and HTTP Proxy rule to use Smartfilter.

In Smartfilter I've configured allow/block policies based on user groups in Active Directory.

NTLM authentication works fine since I can see Active Passports on the firewall.

But somehow it does not get user group information and since Access Rule is in state "Allow" every user who successfully authenticate using transparent NTLM authentication are allowed the traffic neglecting group membership.

If I configure Authenticator to use Active Directory and use same SmartFilter configuration, it reads group information correctly and denies/allows site access depending on user group membership.

Does NTLM authenticator not read group membership information from Active Directory or am I missing something in configuration?


4 Replies
Level 14
Report Inappropriate Content
Message 2 of 5

Re: Transparent NTLM authentication and Active Directory group enumeration


I haven't personally used Active Passports that extensively, but you may wish to take a look at the McAfee Logon Collector application - assuming you are running v8 of the Firewall product.

MLC can be downloaded using your grant number from the main McAfee web site and includes documentation. It basically provides a transparent link between your Firewall appliance and your Windows domain (identifying who is logged in where). But, I do know that this method does include AD group membership details and will then allow you to create rules on the Firewall based on groups rather than just user credentials.

When you look at the Passport list for any user authenticated using MLC you should also see that the AD groups (as External Groups) are listed.


Level 13
Report Inappropriate Content
Message 3 of 5

Re: Transparent NTLM authentication and Active Directory group enumeration


PhilM is correct, MLC is a good option for this as well for authentication that is transparent to the user.

Please take a look at the following doc that may help. NTLM by itself does not allow the firewall to get the groups, but you can configure Smartfilter to get the groups so that different policies can be enforced based on the groups.

Application Note: Configuring Integrated Windows Authentication as a Firewall Enterprise 8.x/7.x Aut...


Re: Transparent NTLM authentication and Active Directory group enumeration

Mi, Mtuma!

I used exactly that document, and got to situation described above.

Then I tried this:

And got it working for groups but no transparent authentication.

I will try MLC and will report back on results.

If you have any tips for MLC usage, please share.



Re: Transparent NTLM authentication and Active Directory group enumeration

It turns out, that McAfee Logon Collector can not be installed on Windows Server 2012.

Does anyone know the how to trick installer to think I have windows 2008r2 instead of Windows 2012?


More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community