cancel
Showing results for 
Search instead for 
Did you mean: 
lubomir_cerny
Level 12

Kerberos authentication + groups names

Jump to solution

Hi folks.

I follow kerberos guide with MWG 7.4.2.7. I can get user autenticate OK, but MWG does not return any groupnames. I have 2 questions:

  1. Is there a way to get group names from Kerberos without NTLM at all ?
  2. may I use Authentication.UserGroups function to work with groups fetch during kerberos auth ?

Am I correct that Kerberos with NTLM Fallback still needs NTLM to fetch group names ? There is default settings in Kerberos settings:

2015-02-17 11_40_14-Edit Settings.png

0 Kudos
1 Solution

Accepted Solutions
ifrank
Level 9

Re: Kerberos authentication + groups names

Jump to solution

Like the checkbox says, you can extract the group IDs from the ticket. Not the group names. Get the group SID from your AD admin and replace the group name in your rules with the SID string.

0 Kudos
2 Replies
ifrank
Level 9

Re: Kerberos authentication + groups names

Jump to solution

Like the checkbox says, you can extract the group IDs from the ticket. Not the group names. Get the group SID from your AD admin and replace the group name in your rules with the SID string.

0 Kudos
lubomir_cerny
Level 12

Re: Kerberos authentication + groups names

Jump to solution

Ok works now.

My mistake was to use Authentication.GetUserGroups in one rule which returns empty value and blocked all other rules.

Also using Kerberos auth, all group names fetched from kerberos ticket are without domain name part ie: domain\groupname -> groupname

So:

with NTLM help the Authentication.UserGroups returns groupnames without domain part

without NTLM help, only sid ids are returned as value ie: S-1-5-21-796845957-1979792683-725345543-34410

thx.

have a nice day.

0 Kudos