cancel
Showing results for 
Search instead for 
Did you mean: 

Transparent NTLM authentication and Active Directory group enumeration

Hi!

Here's the situation I have:

I've set up transparent NTLM authentication and HTTP Proxy rule to use Smartfilter.

In Smartfilter I've configured allow/block policies based on user groups in Active Directory.

NTLM authentication works fine since I can see Active Passports on the firewall.

But somehow it does not get user group information and since Access Rule is in state "Allow" every user who successfully authenticate using transparent NTLM authentication are allowed the traffic neglecting group membership.

If I configure Authenticator to use Active Directory and use same SmartFilter configuration, it reads group information correctly and denies/allows site access depending on user group membership.

Does NTLM authenticator not read group membership information from Active Directory or am I missing something in configuration?

Gunars

4 Replies
Highlighted
PhilM
Level 14
Report Inappropriate Content
Message 2 of 5

Re: Transparent NTLM authentication and Active Directory group enumeration

Gunars,

I haven't personally used Active Passports that extensively, but you may wish to take a look at the McAfee Logon Collector application - assuming you are running v8 of the Firewall product.

MLC can be downloaded using your grant number from the main McAfee web site and includes documentation. It basically provides a transparent link between your Firewall appliance and your Windows domain (identifying who is logged in where). But, I do know that this method does include AD group membership details and will then allow you to create rules on the Firewall based on groups rather than just user credentials.

When you look at the Passport list for any user authenticated using MLC you should also see that the AD groups (as External Groups) are listed.

-Phil.

mtuma
Level 13
Report Inappropriate Content
Message 3 of 5

Re: Transparent NTLM authentication and Active Directory group enumeration

Hello,

PhilM is correct, MLC is a good option for this as well for authentication that is transparent to the user.

Please take a look at the following doc that may help. NTLM by itself does not allow the firewall to get the groups, but you can configure Smartfilter to get the groups so that different policies can be enforced based on the groups.

mysupport.mcafee.com

Application Note: Configuring Integrated Windows Authentication as a Firewall Enterprise 8.x/7.x Aut...

-Matt

Re: Transparent NTLM authentication and Active Directory group enumeration

Mi, Mtuma!

I used exactly that document, and got to situation described above.

Then I tried this: https://kc.mcafee.com/corporate/index?page=content&id=KB62804&actp=search&viewlocale=en_US&searchid=...

And got it working for groups but no transparent authentication.

I will try MLC and will report back on results.

If you have any tips for MLC usage, please share.

Thanks!

Gunārs

Re: Transparent NTLM authentication and Active Directory group enumeration

It turns out, that McAfee Logon Collector can not be installed on Windows Server 2012.

Does anyone know the how to trick installer to think I have windows 2008r2 instead of Windows 2012?

Gunars

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator