Showing results for 
Search instead for 
Did you mean: 

Getting AD User Groups (including nested) when using MCP


MCP only returns Active Directory Groups that users are direct members of (because it gets information locally on the end user computer). NTLM Authentication returns all groups, including nested Groups (Groups inside Groups).

As we are using Groups (some of them being nested) for matching users' policies to browse the Internet, the information sent by MCP is thus not enough.

We require MCP because it allows us to proxify all traffic (which allows us to intercept portable browsers).

We are currently stuck because MCP does not work well with NTLM authentication configured on the Web Gateways.

If I am not mistaken, MCP sends the authentication credentials it gets locally on the end user computer into HTTP headers (populating X-SWEB-AuthUser, X-SWEB-AuthGroups, etc.). If MWGs are configured to accept only NTLM authentication, it ignores the information sent by MCP in the header and sends back a HTTP 407 Authentication Required (as expected), which is ignored / not handled / dropped by the MCP client.

In the end, users get a Blocking Page and cannot surf.

Notes: If MCP is disabled on the end user, everything is fine. If MCP authentication is accepted on the MWG, everything is fine (except we do not have nested groups).

How can we make the MCP client work properly with MWGs using only NTLM authentication?


2 Replies

Re: Getting AD User Groups (including nested) when using MCP

You could do an LDAP lookup:

Re: Getting AD User Groups (including nested) when using MCP

Thanks for the answer, I knew that we could do this via a LDAP request.  The problem is we have deployed worldwide proxies, each being member of a local domain.  Setting up a LDAP request to get the User Groups would mean to request some central LDAP server, unless I am mistaken. With worldwide proxies, we will have as a consequence a very high latency for users.  NTLM allows us with a single policy to have our proxies contact the closest domain controller. That's why I would rather use NTLM over LDAP.

Maybe there is a variable I do not know like $DomainController$, or something like this, that points to the current Domain Controller on which the gateways are attached to make the LDAP request?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator