Showing results for 
Search instead for 
Did you mean: 

MWG 7.1 and Kerberos issues

Hi, Im trying to test kerberos authentication with 2003 AD and MWG 7.1.0, after creating the keytab I try to upload to MWG and nothing happens . I don´t know if the syntax is correct or its a bug , I search for the keytabs via shell prompt but no way, appears that never was imported the file.

sorry my english friends.please I need some light with this issue.

my check list is

Create a DNS record for MWG

Create a user account for the service

time and date between MWG and KDC sync ok

Internet explorer settings ok

ktpass syntax  ktpass -princ HTTP/mymwg.mydomain.loc@MYDOMAIN.LOC -mapuser mwg71 -pass mypass -crypto  DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL

by the way I have EWS 5.5  and EWS 5.6 working like a charm with kerberos. 

17 Replies
McAfee Employee MSchneider
McAfee Employee
Report Inappropriate Content
Message 2 of 18

Re: MWG 7.1 and Kerberos issues

Here is my checklist, maybe it contains a step and some info that helps you.

Every user (client) must exist in the AD /kerberos database

  1. Create a user account for the host computer on which proxy Server runs in the Active Directory server. (Select New -> User, not New -> Machine.)
    • When creating the user account, use the simple name of the computer. For example, if the host is named, create a user in Active Directory called myProxy. Note the password you defined when creating the user account. You will need it in step 3. Do not select the User must change password at next logon option, or any other password options.

  2. Configure the new user account to comply with the Kerberos protocol. The user account's encryption type must be DES.
    • Right-click the name of the user account in the Users tree in the left pane and select Properties.
    • Select the Account tab and check the box "Use DES encryption types for this account." Make sure no
      • other boxes are checked, particularly the box "Do not require Kerberos pre-authentication."
    • Setting the encryption type may corrupt the password. Therefore, you should reset the user password by right-clicking
      • the name of the user account, selecting Reset Password, and re-entering the same password specified earlier.
  3. Create a user mapping  and a kerberos Keytab file (krb5kt) using the ktpass utility: ktpass.exe is part of the 'Support Tools"



Message was edited by: michael_schneider on 18/05/2011 13:01:04 CEST
Michael Schneider
Lead Product Manager for Web Protection

Re: MWG 7.1 and Kerberos issues

well Michael I follow the additional steps (vey usefull thanks you!) but now I ve got the following error when tying to authenticate and seems the keytab was not  uploaded to appliance cos I can not find anywhere...

[Auth] [KerberosAuthentication] SPNEGOExtractNegotiateToken SPNEGO error : SPNEGOExtractNegotiateToken() failed

Re: MWG 7.1 and Kerberos issues

Hello Herman and Michael,

I'm having the same error message (SPNEGOExtractNegotiateToken SPNEGO error : SPNEGOExtractNegotiateToken() failed) in the mwg-logfiles.

Since we proved that kerberos works fine on the linux shell (kinit -V -k -t <keytab-file.keytab> -> Authorized, ... and ... kinit -V <AD-User> -> Authorized), we assume a module using the kerberos engine is responsible for this error message.

Hints on this would be much appreciated.

Nachricht geändert durch uwegoldenstein on 16.06.11 07:46:51 CDT
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 5 of 18

Re: MWG 7.1 and Kerberos issues

Hi Uwe,

Some problems that can lead to those errors are:

-time on WG is not in sync with user's clock

-how you are accessing the proxy (do you have the IP set in the proxy settings? or do you have the FQDN set?) you will need to have the name specified during keytab creation, so in Herman's example it was "HTTP/mymwg.mydomain.loc@MYDOMAIN.LOC"

In this case you would need "mymwg.mydomain.loc" in the proxy settings.

The main catch that stumped me when I first attempted to use kerberos was the second bullet point. Make sure you are using the proxy as you specified when generating the keytab file.


Re: MWG 7.1 and Kerberos issues

Thanks to Jon , now I can use kerberos , in my case the problem was the time sync, I was set the time date manually in my MWG but Jon sets sync with an NTP server... ufff .... thanks again Jon !! I think that is time to someone write the appropiate KB or/and add to the product guide the step by step.


McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 7 of 18

Re: MWG 7.1 and Kerberos issues

I'll work on putting something together in the coming weeks, I'll add it to the documents section of the community along with my other articles.


McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 8 of 18

Re: MWG 7.1 and Kerberos issues

I put a document together based on my experiences with Kerberos.


It's quite comprehensive, please leave any comments if you notice any errors, or see room for improvment.



Re: MWG 7.1 and Kerberos issues

Good night,

I apologize for my English, and to be resurrecting the post, if you need to carry elsewhere let me know.

I have problems in the implementation of the Kerberos authentication, follow the referenced document here reviewed the guidelines given here, however unsuccessfully in my implemntion.

When running the command "tail--f /opt/mwg/log/mwg errors/mwg-core.errors.log" I have this error.

[09/19/2014 17: 34: 25 929 -03: 00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' SPNEGO 'error:' SPNEGOExtractNegotiateToken () failed '

If someone has a detailed step by step how to deploy would be very useful.

I appreciate any help.

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 10 of 18

Re: MWG 7.1 and Kerberos issues

Hi Wemerson,

This is a realllllllly old thread.

The error you pasted indicates that the client could not get a ticket, so a step must have been missed in the Kerberos setup.

The full setup guide is listed above:



More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community