cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 1 of 2

How do I Map Kerberos SIDs to Group Names?

Jump to solution

Kerberos authentication is extremely efficient but if the MWG is not joined to the domain (which is one of the reasons for using Kerberos in the first place), you cannot simply translate the group membership security ids (SIDS) supplied in the ticket back to the common group names. There is an excellent writeup on how to use a map list in a section of the article found here 

But, how do I do this simply without adding complex rules processing overhead to every transaction?  

1 Solution

Accepted Solutions
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: How do I Map Kerberos SIDs to Group Names?

Jump to solution

With regard to using Kerberos IDs in rules matching against group names in a list, there is another way to accomplish the task without a complex ruleset that maps Authentication.UserGroups and has to apply against every transaction.

You can take an export of an existing group name list and use it as an input to a Powershell script running on a domain joined system with access to the Get-ADGroups cmdlet. The Powershell script will output a new list with the original group name entries as well as entries for any matching SIDS.

The Powershell uses the Get-ADGroups cmdlet of this form:

Get-ADGroup -Filter {Name -like "<group name>"} | Select SID

The Powershell script is attached.

The output from the script can be either appended to, or replace the original list and then the list can be effectively used when using "none in list" or "at least one in list" with Authentication.UserGroups. These are the most commonly used operators with the Authentication.UserGroups property. If other operators will be used then likely you will need to use the maplist method described in the base article and actually convert the group ids to group names on each transaction. Note that when using this alternative method the Authentication.UserGroups property will always have the SIDs and they are never translated.

A bit about the sparsely commented script:

If SID lookup fails, no entry is added, but the original entry remains intact.

Existing SID entries will be removed and will only be restored if the common group name is still in the sourcelist.

Syntax: KerbGroupListAppend.ps1 -inputFile <inputfile> -outputFile <outputfile>

If no inputFile is set or the inputFile is not found the program will prompt. 

If no outputFile is specified. The program will put the output in GroupOut.lists.

This list:

Kerb1.png

Gets converted to this list, if you import the output from the powershell script:

Kerb3.png

 

Gets converted to this list, if you append the output from the powershell script:

kerb2.png

I updated the script on 1/10/2020 (v0.2, couldn't delete original for some reason) to add some input / output file name and path checking because I got tired of my "fat fingers" resulting in a many Powershell error messages.

Comments and suggestions welcome as always

View solution in original post

1 Reply
McAfee Employee jebeling
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: How do I Map Kerberos SIDs to Group Names?

Jump to solution

With regard to using Kerberos IDs in rules matching against group names in a list, there is another way to accomplish the task without a complex ruleset that maps Authentication.UserGroups and has to apply against every transaction.

You can take an export of an existing group name list and use it as an input to a Powershell script running on a domain joined system with access to the Get-ADGroups cmdlet. The Powershell script will output a new list with the original group name entries as well as entries for any matching SIDS.

The Powershell uses the Get-ADGroups cmdlet of this form:

Get-ADGroup -Filter {Name -like "<group name>"} | Select SID

The Powershell script is attached.

The output from the script can be either appended to, or replace the original list and then the list can be effectively used when using "none in list" or "at least one in list" with Authentication.UserGroups. These are the most commonly used operators with the Authentication.UserGroups property. If other operators will be used then likely you will need to use the maplist method described in the base article and actually convert the group ids to group names on each transaction. Note that when using this alternative method the Authentication.UserGroups property will always have the SIDs and they are never translated.

A bit about the sparsely commented script:

If SID lookup fails, no entry is added, but the original entry remains intact.

Existing SID entries will be removed and will only be restored if the common group name is still in the sourcelist.

Syntax: KerbGroupListAppend.ps1 -inputFile <inputfile> -outputFile <outputfile>

If no inputFile is set or the inputFile is not found the program will prompt. 

If no outputFile is specified. The program will put the output in GroupOut.lists.

This list:

Kerb1.png

Gets converted to this list, if you import the output from the powershell script:

Kerb3.png

 

Gets converted to this list, if you append the output from the powershell script:

kerb2.png

I updated the script on 1/10/2020 (v0.2, couldn't delete original for some reason) to add some input / output file name and path checking because I got tired of my "fat fingers" resulting in a many Powershell error messages.

Comments and suggestions welcome as always

View solution in original post

Want to Ask a Question?
Many members like to perform a search first in case other customers have already asked and answered a similar question. However, to ask a question, first select a forum then click on Post a Topic. You must sign in or log in with your existing credentials.

McAfee Service Portal customers please use your existing username and password to log into the community.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community