cancel
Showing results for 
Search instead for 
Did you mean: 
bornheim
Level 7

Kerberos, the Universe and Everything

Hi,

I am trying to wrap my head around the complete Kerberos thing for a while now. :-)

In the beginning I tried to follow "Kerberos, The Ultimate Guide" from the "MWG Best Practices and Common Scenarios". I (think I) have Kerberos, fallback to NTLM and fallback to User Database authentications working. Additionally I do some LDAP lookups to gather information like the real user name and group memberships from AD. I also have the fallback from "Negotiate or NTLM" to "just NTLM" working.

There are two things that are bothering me:

- in the Authentication Statistics I see next to no Kerberos Authentication requests (mostly none at all, sometimes up to 40 per day) while I typically have 500,000 LDAP authentications (mostly cached) and 150,000 NTLM authentications per day

- my mwg-core.errors.log is flooded with

     [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'

(about 50,000 entries per day)

Our environment consists mostly of IE and Firefox users, most of them benefiting from Single Sign On. Some machines are not AD domain members, but authenticate with AD accounts. Some use the user database.

My questions are:

1.) what exactly do I need Kerberos authentication for? In which scenario does it become active? Can I simply switch it off without losing functionality?

2.) The fallback from "Negotiate or NTLM" to "just NTLM" with Authentication.ClearMethodList and Authentication.AddMethod("NTLM", "", true) is triggered on the condition that Authentication.RawCredentials matches "Negotiate TlRM*". From what I understand: "Negotiate" means "Kerberos Authentication" and "NTLM" means "NTLM authentication". "TlRM" is the start of an NTLM authentication. So what the browsers are doing is "I want to do a Kerberos authentication and here is my NTLM authentication data" which is apparently nonsense. So why do I ask for this nonsense ("Negotiate or NTLM") in the first place? Could I simply remove the condition (Authentication.RawCredentials matches "Negotiate TlRM*") and offer "just NTLM" all the time? It would sure safe me all the round trips ending up in 'SPNEGOExtractNegotiateToken() failed'

Kind regards,

Robert

0 Kudos
4 Replies
bornheim
Level 7

Re: Kerberos, the Universe and Everything

Hi,

the document "Kerberos, The Ultimate Guide" seems to have been updated since I last checked.

Protecting "AuthenticatIon.Authentiocate <Kerberos>" with

     Authentication.RawCredentials does NOT match "Negotiate TlRM*"

seems to have gotten me rid of the 'SPNEGOExtractNegotiateToken() failed' log messages.

Kind regards,

Robert

0 Kudos
c0rec0re
Level 7

Re: Kerberos, the Universe and Everything

Hello bornheim!

I found that I can't do Kerberos Auth after updating MWG from 7.4.2.8 to 7.4.2.10.

After that update I see tons of messages like

[Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' 'SPNEGO' error : 'SPNEGOExtractNegotiateToken() failed'

I guess I need to fall back to 7.4.2.8 version.

0 Kudos
McAfee Employee

Re: Kerberos, the Universe and Everything

@c0rec0re, please open a case, and provide the data requested in the simplified kerberos guide: That error indicates that the client wasnt able to get a kerberos ticket (usually).

@Robert,

1. Why do you need Kerberos? You may well not need it, Kerberos just adds security, who knows, eventually maybe Microsoft will kill off NTLM??

2. The reason why the NTLM fallback is the way it is, is because of this discussion (), we extend a Kerberos (Negotiate) authentication message, and the client responds with NTLM (exactly as you had described). We must avoid treating the NTLM authentication from the client as though it is Kerberos (because ultimatley the browser would fail to authenticate anyways!).

Best Regards,

Jon

0 Kudos
c0rec0re
Level 7

Re: Kerberos, the Universe and Everything

I've updated to 7.5.2 with

mwg-switch-repo 7.5

yum update

reboot

And kerberos is again working at the same machine!

So, I think, it was broken in 7.4.2.9 or 10 update.

I decided to stay at 7.5.2, because it's a pilot project, so I guess, soon to the end of the year this 7.5 controlled will became main release.

0 Kudos