cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 2
‎01-08-2020 01:47 PM

How do I Map Kerberos SIDs to Group Names?

Jump to solution

Kerberos authentication is extremely efficient but if the MWG is not joined to the domain (which is one of the reasons for using Kerberos in the first place), you cannot simply translate the group membership security ids (SIDS) supplied in the ticket back to the common group names. There is an excellent writeup on how to use a map list in a section of the article found here 

But, how do I do this simply without adding complex rules processing overhead to every transaction?  

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
0 Kudos
Reply
1 Solution

Accepted Solutions
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2
‎01-08-2020 01:48 PM

Re: How do I Map Kerberos SIDs to Group Names?

Jump to solution

With regard to using Kerberos IDs in rules matching against group names in a list, there is another way to accomplish the task without a complex ruleset that maps Authentication.UserGroups and has to apply against every transaction.

You can take an export of an existing group name list and use it as an input to a Powershell script running on a domain joined system with access to the Get-ADGroups cmdlet. The Powershell script will output a new list with the original group name entries as well as entries for any matching SIDS.

The Powershell uses the Get-ADGroups cmdlet of this form:

Get-ADGroup -Filter {Name -like "<group name>"} | Select SID

The Powershell script is attached.

The output from the script can be either appended to, or replace the original list and then the list can be effectively used when using "none in list" or "at least one in list" with Authentication.UserGroups. These are the most commonly used operators with the Authentication.UserGroups property. If other operators will be used then likely you will need to use the maplist method described in the base article and actually convert the group ids to group names on each transaction. Note that when using this alternative method the Authentication.UserGroups property will always have the SIDs and they are never translated.

A bit about the sparsely commented script:

If SID lookup fails, no entry is added, but the original entry remains intact.

Existing SID entries will be removed and will only be restored if the common group name is still in the sourcelist.

Syntax: KerbGroupListAppend.ps1 -inputFile <inputfile> -outputFile <outputfile>

If no inputFile is set or the inputFile is not found the program will prompt. 

If no outputFile is specified. The program will put the output in GroupOut.lists.

This list:

Kerb1.png

Gets converted to this list, if you import the output from the powershell script:

Kerb3.png

 

Gets converted to this list, if you append the output from the powershell script:

kerb2.png

I updated the script on 1/10/2020 (v0.2, couldn't delete original for some reason) to add some input / output file name and path checking because I got tired of my "fat fingers" resulting in a many Powershell error messages.

Comments and suggestions welcome as always

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?

View solution in original post

KerbGroupListAppend.zip
KerbGroupListAppendv0.2.zip
0 Kudos
Reply
1 Reply
jebeling
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2
‎01-08-2020 01:48 PM

Re: How do I Map Kerberos SIDs to Group Names?

Jump to solution

With regard to using Kerberos IDs in rules matching against group names in a list, there is another way to accomplish the task without a complex ruleset that maps Authentication.UserGroups and has to apply against every transaction.

You can take an export of an existing group name list and use it as an input to a Powershell script running on a domain joined system with access to the Get-ADGroups cmdlet. The Powershell script will output a new list with the original group name entries as well as entries for any matching SIDS.

The Powershell uses the Get-ADGroups cmdlet of this form:

Get-ADGroup -Filter {Name -like "<group name>"} | Select SID

The Powershell script is attached.

The output from the script can be either appended to, or replace the original list and then the list can be effectively used when using "none in list" or "at least one in list" with Authentication.UserGroups. These are the most commonly used operators with the Authentication.UserGroups property. If other operators will be used then likely you will need to use the maplist method described in the base article and actually convert the group ids to group names on each transaction. Note that when using this alternative method the Authentication.UserGroups property will always have the SIDs and they are never translated.

A bit about the sparsely commented script:

If SID lookup fails, no entry is added, but the original entry remains intact.

Existing SID entries will be removed and will only be restored if the common group name is still in the sourcelist.

Syntax: KerbGroupListAppend.ps1 -inputFile <inputfile> -outputFile <outputfile>

If no inputFile is set or the inputFile is not found the program will prompt. 

If no outputFile is specified. The program will put the output in GroupOut.lists.

This list:

Kerb1.png

Gets converted to this list, if you import the output from the powershell script:

Kerb3.png

 

Gets converted to this list, if you append the output from the powershell script:

kerb2.png

I updated the script on 1/10/2020 (v0.2, couldn't delete original for some reason) to add some input / output file name and path checking because I got tired of my "fat fingers" resulting in a many Powershell error messages.

Comments and suggestions welcome as always

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as a Solution and/or Kudo my reply so we can help other community participants?
KerbGroupListAppend.zip
KerbGroupListAppendv0.2.zip
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC