Showing results for 
Show  only  | Search instead for 
Did you mean: 

Fallback Authentication kerberos and LDAP


i've tried to implement a fallback authentication Rule:

1. Kerberos

2. LDAP (if Kerberos failed)

But it doesn't work. The Browser always chooses Kerberos.

I've already tested the "Authenticate against Multiple Directories"-Ruleset and read this:

"This rule set will not work for prompt-less authentication, or mixed authentication

methods such as integrated for NTLM plus basic for LDAP"

Is it possible that it doesn't work with Kerberos because it's the same behaviour as with integrated NTLM?

kind regards

5 Replies

Re: Fallback Authentication kerberos and LDAP


yes that is true. I believe MWG will tell the browser that we support "Negotiate" and "Basic" as methods to authenticate. The browser will pick the strongest one (Negotiate) and fail to do basic. If I remember correctly it is required to use the "Authentication.ClearMethodList" Event to clear out the offered methods to the browser, so that the browser will use basic.

I think we have an example rule set somewhere, I will see if I can find it.




Re: Fallback Authentication kerberos and LDAP

Here is an example:


I have not tested it, so I cannot guarantee that is works, but maybe you can give it a try?




Re: Fallback Authentication kerberos and LDAP


yes this ruleset works.

Thanks for your support.




Re: Fallback Authentication kerberos and LDAP

Hello Andre,

the rule set works fine. But now I wanted to extend the policy with getting LDAP group details for authorisation.

Here is my the policy:


With this new ruile I have a problem, that from time to time the user gets a "not authorized" message. Does the user refresh the site with F5, the site is displayed.

If I place the Get-UserGroup rule after the LDAP authentication rule, the authorization don't work anymore.

Do you have any idea why?

May be my additional rule is not correct?

Thanks and Regards,


Nachricht geändert durch vkloezer on 18.03.13 07:07:38 CDT

Re: Fallback Authentication kerberos and LDAP

Hi Viktor,

basically the rules look OK for me. I am curious about the "from time to time" statement. Does this mean that the error pops up randomly? Is there anything you can point out when the issue occurs or can you reliably replicate the issue when you do a specific action?

I would assume that when the rule works for most request the rule should be correct. If you can try you could move the additional rule that looks up the group membership and place it to a separate rule set which you call once authentication is provided.

Does the issue occur with the additional rule disabled?

For me it sounds like there is maybe a problem for MWG when trying to check the credentials against kerberos/the LDAP server (looks like a sporadic issue). Maybe a deeper analysis is required, so I recommend to file a service request (if not already done) and provide them with a feedback and some packet captures which show the issue. Support should then be able to clearly point out what is going wrong.

So far the issue does not sound familiar, sorry 😞



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community