cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

LDAP authentication with fallback to user database authentication

Hello,

I try to achieve something that seemed to be easy in MWG6: LDAP authentication against an Active Directory and if that fails: authentication against the user database:

Hardcopy1.jpg

For LDAP authentication I defined the proxy realm to be "McAfee Web Gateway (LDAP)", for user database authentication I defined proxy realm to be "McAfee Web Gateway (User-DB)".

What I see now is this:

1.) On the first request, Firefox asks for user name and password, the realm is moz-proxy://160.1.3.2:8080". This is IP and port of a Squid proxy between the browser and MWG. Sort of OK

1a.) If I provide correct LDAP credentials, Firefox just repeats the question. Not OK.

1b.) If I provide correct user database credentials, I get logged in. OK.

2.) If I click "Cancel" immediately on the first authentication request, Firefox again aks for user name and password, the realm is "McAfee Web Gateway (LDAP)".

2a.) If I provide correct LDAP credentials, I get authenticated succesfully. Sort of OK. Why not in the first place?

2b.) If I provide correct user database credentials, I get authenticated succesfully. Sort of OK.

2c.) If I click on "Cancel" instead, Firefox shows me the "The proxy server is refusing connections" page. OK.

3.) If I provide INCORRECT credentials on the first authentication request, then click "Cancel", Firefox again aks for user name and password, the realm is "McAfee Web Gateway (User-DB)". Interesting.

3a.) If I provide correct credentials now (LDAP or user database), I get authenticated successfully. Sort of OK. Why not in the first place?

Could someone please provide some insight?

Thanks,

Robert

3 Replies

Re: LDAP authentication with fallback to user database authentication

Clairfy something here.

Are you saying you have 2 proxies chained and squid is authenticating?

Client -> Squid -> MWG -> Internet

you are not allowed to do this. Only the first proxy can do browser authication.

Re: LDAP authentication with fallback to user database authentication

Yes, this (Client > Squid > MWG > Internet) is the configuration. I am not aware why this should be forbidden. Is there any part in the documentation stating this issue?

And why should it be working (allowed or not) with MWG6 but not with MWG7?

Regards,

Robert

Re: LDAP authentication with fallback to user database authentication

It is not a restriction of MWG, per se, but a restriction with the HTTP protocol. It's forbidden in the RFC.

The only suggestion is to somehow put the username into an X-Authenticated-User: and X-Authenticated-Groups: header in the request and have MWG strip those out and use them.

Unfortunately, i don't think Squid and insert custom headers like that, but 2 MWGs in a row can.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community