cancel
Showing results for 
Search instead for 
Did you mean: 
al.johnson
Level 9

Kerberos, WebGateway, and User IDs

Jump to solution

We're working on moving from NTLM to Kerberos for our WGA environment.  I've read through and followed Jon's awesome ultimate guide to Kerberos.  While it is working, we need a few more details straightened out to make it production ready and strong enough for our 50,000 users.


We've got most of it working, but now need to figure out how to get the value of samaccount=%u into the logs. Currently I reference authenticate,username when logging the requests. In NTLM this give me the users unique, short user id that they use when logging into Windows (and everything else).  When changing to Kerberos, authentication.username, authentication.rawcredentials, and authentication.rawusername all seem to yield the users full DN.  This presents problems with log space and the ability to search the logs for specific users.  I can ask them their User ID, but get someone to tell you their DN.  I see that the short ID is available and used when getting groups via LDAP, it's the %u in the samaccount=%u setting.  How can I get the value of %u in a rule?


0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Kerberos, WebGateway, and User IDs

Jump to solution

Hi Al,

I'm assuming you are not using NTLM (Windows Domain Membership) to perform the group lookups.

This is happening because of the LDAP lookup you perform after doing kerberos authentication.

If you rely on MWG to lookup the groups using NTLM (WDM) instead of LDAP you will not have this problem. Read this part: https://community.mcafee.com/docs/DOC-2682#Get_groups_with_NTLM_new_as_of_72

Otherwise, you can store the username before you do the LDAP group lookup, and then restore it after the LDAP lookup takes place.

Most customers will implement the NTLM fallback as described in the guide because not all browsers/applications play well with kerberos. This will also help with the transition.

Best,

jon

0 Kudos
2 Replies
McAfee Employee

Re: Kerberos, WebGateway, and User IDs

Jump to solution

Hi Al,

I'm assuming you are not using NTLM (Windows Domain Membership) to perform the group lookups.

This is happening because of the LDAP lookup you perform after doing kerberos authentication.

If you rely on MWG to lookup the groups using NTLM (WDM) instead of LDAP you will not have this problem. Read this part: https://community.mcafee.com/docs/DOC-2682#Get_groups_with_NTLM_new_as_of_72

Otherwise, you can store the username before you do the LDAP group lookup, and then restore it after the LDAP lookup takes place.

Most customers will implement the NTLM fallback as described in the guide because not all browsers/applications play well with kerberos. This will also help with the transition.

Best,

jon

0 Kudos
al.johnson
Level 9

Re: Kerberos, WebGateway, and User IDs

Jump to solution

Thanks Jon, that did it.

For our primary proxy environment, we're going to use NTLM to get the groups.

For a remote site (Chennai) we're going to have to use LDAPS due to some routing and DNS challenges we have there.  For that I'll save the user ID in advance of the LDAPS call.

0 Kudos