cancel
Showing results for 
Search instead for 
Did you mean: 
john10
Level 7

How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi,

I was planning to configure Kerberos Authentication for all the machines in the domain. The rule worked very well but failed for all the machines which were in the workgroup.

It kept on prompting authentication.

I am not able to see an option in MWG to configure NTML auth (as a fall back option) if the Kerberos fail.

Is there a way to configure MWG so that it tries to authenticate the browsers through Kerberos and if it fails it should do NTLM authentication.

Thank you

-John

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi John,

I'm pretty sure this guide: has something about NTLM fallback ;-)

Best,

jon

9 Replies
McAfee Employee

Re: How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi John,

I'm pretty sure this guide: has something about NTLM fallback ;-)

Best,

jon

john10
Level 7

Re: How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi Jon,

You hit the Bulls eye! I am sure this is what I was looking for.

I will take a look at the guide sometime late and try to modify my rule to incorporate the NTLM fallback option!.

Thank you so much

I appreciate your quick help

Regards

John

0 Kudos
john10
Level 7

Re: How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi Jon,

I could successfully implement Kerberos with NTLM fallback. I have a small issue. Below are the details

When a user from the domain tries to browse using McAfee Webproxy the username is captured.

However when a Workstation tries to browse using McAfee Webproxy I am not able to pickup the Name of the user. I did few modifications to get the username from the workstation machine but went in vain. Any suggestions here?

Regards

John

0 Kudos
McAfee Employee

Re: How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi John,

I'm not clear on what you mean.

Are you saying that the workstation is making requests ($WORKSTATION) to the internet for updates? In this case you want to get the username from the workstation name? If it's truley not the user making the requests, I'm not sure you can derive the username from the workstation name.

Best Regards,

Jon

0 Kudos
john10
Level 7

Re: How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi Jon,

First of all thanks for the prompt response.

My apologies for the late reply. I was on vacation without internet access. Hence I could not respond on time.

Probably my question was not clear enough. Sorry about that.

I have imported the Kerberos ruleset with NTLM fallback option from the link you set earlier. My environment has Windows machines in domain, Linux, Unix, MAC and Windows Workstation machines as well.

Here is what I am trying to achieve using MWG.

Scenario:

I have imported the Kerberos ruleset with NTLM fallback option from the link you set earlier. Now, I am able to browse Internet from (Windows machines in domain, Win Workstations and Linux systems).

I am able to browse Internet from Windows machines joined to domain directly. It doesn't prompt for the User credentials. Probably it's using Kerberos auth and hence not prompting for user credentials.

When I try to browse from Workstations and Linux machines, it initially prompts for the User credentials (It comes from the proxy server). Once I authenticate it works fine.

Questions

1. It looks like Workstation and Linux machines are using NTLM authentication. Can we force Workstation and Linux systems to use Kerberos? Is there a way to achieve that? I want to do this because Kerberos is more secure than NTLM

2. I am still trying to understand Kerberos ruleset. When I browse from different machines (machines in domain, workstations, Linux) it works but I am not sure whether those systems used Kerberos or NTLM. I installed some of the Live Header plugins for Chrome and it doesn't show if the browsers chose Kerberos or NTLM. Do you know of some browser plug in which will tell what authentication is being used? 

In the article under the section 'http Headers' it talks how the header should look like. Not sure which plugin was used to see this info. I am not able to see this kind of info using any of the plugins in different browsers

Regards

John

0 Kudos
gwieser
Level 7

Re: How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi John!

You should check the browser security settings as described in https://community.mcafee.com/docs/DOC-4384, especially the settings for "network.automatic-ntlm-auth.trusted-uris" (for NTLM) in Firefox. I have no experience with Chrome, but I hope there is an equivalent entry.

Hope this helps

Gerhard

0 Kudos
john10
Level 7

Re: How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi Gerhard,

Thanks for the reply. I had seen that link earlier but what I am trying to do is not there in the document.

The problem of having "network.automatic-ntlm-auth.trusted-uris" (for NTLM) entry in Firefox is that I will not be able to make this entry on all the machines. There are 1000s of machines. So, it is impossible to get this fixed with this approach. If this is the only way then I need to think of some other alternative which needs modification of settings only on the server and no action would be required on the client side.

Thank you so much

Regards

John

0 Kudos
gwieser
Level 7

Re: How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi John,

well, it's about time you should think about central customizing of firefox (or rather chrome). a good starting point for ff (which is still lacking enterprise configuration possibilities) you can find here: CCK2 | Mike's Musings

An other collegue gave the tip for chrome: Set up Chrome for Work - Chrome for Work and Education Help (you can configure chrome via gpo's)

Regards

Gerhard

0 Kudos
john10
Level 7

Re: How to force Workgroup machines to use NTLM where as all other machines in domain to use Kerberos

Jump to solution

Hi Gerhard,

Thanks for your prompt and quick reply once again!

Yeah I am planning to get the some of these configuration into the baseline image so that every firefox/Chrome will have the required parameters enabled. This would be a long term plan.

I am right now thinking on some alternate quick fix soltuion for my present environment.

I will google a little more to see if there is some breakfix.

Thank you so much for your support!

Regards

John


0 Kudos