cancel
Showing results for 
Search instead for 
Did you mean: 
luca.scamoni
Level 8

Kerberos and NTLM authentication fallback

Jump to solution

I'm facing this problem with MWG 7.2.0.3 configured to authenticate clients using kerberos or NTLM as a fallback mechanism.

webgateway.PNG

  • upon submitting the GET request the client receives a 407 response asking to authenticate using Negotiate or NTLM
  • here three things may happen:
    1. the client has or negotiates a valid kerberos ticket and submits the GET request including the krbtkt using negotiate method; OK
    2. the client doesn't know how to manage kerberos and choses to submit the GET request chosing the NTLM method; OK
    3. the client can't (or won't) negotiate a valid kerberos ticket and submits the GET request including the NTLMSSP using negotiate method; KO

this last case leads to the browser showing the classic "unable to connect" message.

A tcpdump of case 1:

krb1.png

frame 839:

get.PNG

frame 847:

407.PNG

frame 879 after kerberos ticket negotiation:

get2.PNG

leading to the final 200/OK

A tcpdump of case 3:

failed.PNG

frames 379 and 384 are similar to 839 and 847 above. Then frame 388:

getntlm.PNG

sends the negotiate request using NTLMSSP and MWG answers in frame 398:

407ntlm.PNG

here traffic ends and IE shows the can't connect message

Here the browser tells MWG that the strongest security method he knows is NTLM but MWG is unable to complete the NTLM handshake using negotiate.

Can it be made to work as expected?

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Kerberos and NTLM authentication fallback

Jump to solution

Hi Luca,

The first scenario is that of a successful communication (as you expect).

The second scenario (you referred to as case 3) is occurring because the browser is choosing the wrong header to send which is causing the failure.

The browser is sending a Negotiate step when it should be sending NTLM.

It's sending:

Proxy-Authenticate: Negotiate N1RM

It should be sending:

Proxy-Authenticate: NTLM N1RM

By sending the Negotiate step this is indicating that Kerberos authentication is being used, so the MWG acts accordingly.

For more information see here:

http://tools.ietf.org/html/rfc4559

http://www.ietf.org/rfc/rfc2617.txt

From my experience, we did try to make the Web Gateway accept NTLM tokens used with the "Proxy-Authenticate: Negotiate", but in the end the browser started having issues of its own (it rejected the challenge).

So to answer your question, MWG cannot had the NTLM authentication when Negoticate is used. The browser issue must be addressed for authentication to take place properly.

Let me know if any questions remain.

Best,

Jon

0 Kudos
6 Replies
McAfee Employee

Re: Kerberos and NTLM authentication fallback

Jump to solution

Hi Luca,

The first scenario is that of a successful communication (as you expect).

The second scenario (you referred to as case 3) is occurring because the browser is choosing the wrong header to send which is causing the failure.

The browser is sending a Negotiate step when it should be sending NTLM.

It's sending:

Proxy-Authenticate: Negotiate N1RM

It should be sending:

Proxy-Authenticate: NTLM N1RM

By sending the Negotiate step this is indicating that Kerberos authentication is being used, so the MWG acts accordingly.

For more information see here:

http://tools.ietf.org/html/rfc4559

http://www.ietf.org/rfc/rfc2617.txt

From my experience, we did try to make the Web Gateway accept NTLM tokens used with the "Proxy-Authenticate: Negotiate", but in the end the browser started having issues of its own (it rejected the challenge).

So to answer your question, MWG cannot had the NTLM authentication when Negoticate is used. The browser issue must be addressed for authentication to take place properly.

Let me know if any questions remain.

Best,

Jon

0 Kudos
luca.scamoni
Level 8

Re: Kerberos and NTLM authentication fallback

Jump to solution

Hi Jon,

     thank you for your answer. I was really looking for a confirmation of my suspects.

Best,

Luca

0 Kudos
McAfee Employee

Re: Kerberos and NTLM authentication fallback

Jump to solution

I ran out of time yesterday, but there is something that we can do with the rules, it will take a little magic though, I'll keep you posted.

Best,

Jon

0 Kudos
luca.scamoni
Level 8

Re: Kerberos and NTLM authentication fallback

Jump to solution

I love magic! ;-)

0 Kudos
McAfee Employee

Re: Kerberos and NTLM authentication fallback

Jump to solution

Hi Luca,

Magic! See attached ruleset and screenshot below.

true ntlm fallback with kerberos v2.png

This appears to do the trick.

This is how it works:

1. Client makes request (no authentication information)

2. Proxy responds with all authentication methods it supports according to the auth settings used (Negotiate, NTLM, basic)

3. In the case that the client responds with the "Proxy-Authenticate: Negotiate NlRM...", Web Gateway will discard it, and respond with another 407, but WITHOUT the Negoticate auth method included.

4. The client will then reply with "Proxy-Authenticate: NTLM NlRM...".

5. The rest of NTLM authentication will take place without issue!

See screenshots below (labeled according to the steps listed above):

1:

1.png

2:

2.png

3:

3.png

4:

4.png

5:

5.png

Please test it and let me know if it works.

0 Kudos
luca.scamoni
Level 8

Re: Kerberos and NTLM authentication fallback

Jump to solution

Thanks Jon,

it works like a charm!

0 Kudos