cancel
Showing results for 
Search instead for 
Did you mean: 
vadym
Level 7

MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Hello community.

Please help to find the solution to the following issue (I got it in test-laboratory and in customer’s environment):

Mwg does not know about all membership of domain’s user.  (Below is the example for domain - “qwe.local”, user – “admin”, and the one of domain local group – “test2”).

MWG successfully does the users authentication by Kerberos (used the following articles for authentication deployment - https://community.mcafee.com/docs/DOC-6449 ) – now we know every users for every requests.

However, we have a trouble when checking user membership in groups because mwg does not parse the Kerberos ticket to the end. Mwg stops on the SID S-1-18-1. Such summary we have got after investigation of the issue:

  1. Proxy configuration (Model WG5000-C)
  • Disabled “replay cache”

___1.jpg

  • Disabled “authentication cache”
  • Enabled “extract group membership IDs from the ticket”
  • Disabled “lookup group names via NTLM”

___2.jpg

     2. User preferences

  • User membership on AD side

___3.jpg

groups type:

___4.jpg

User

Group

#

Admin

Administrators

1

domain admins

2

domain users

3

enterprise admins

4

group policy creator owners

5

group1

6

organization management

7

schema admins

8

test1

9

test2

10

  • User membership on client-system side

___5.jpg

see attached table in excel-file.

  • User membership on mwg side

There is no the SID of group as “test2” in mwg-core__Auth.debug.log (test2 SID is S-1-5-21-80214499-1554138238-4006517166-1151):

[2015-04-07 11:04:13.724 +03:00] [3981] Kerberos (3703, 192.168.31.53) Method: Kerberos

[2015-04-07 11:04:13.724 +03:00] [3981] Kerberos (3703, 192.168.31.53) Realm: QWE.LOCAL

[2015-04-07 11:04:13.725 +03:00] [3981] Kerberos (3703, 192.168.31.53) User: admin

[2015-04-07 11:04:13.725 +03:00] [3981] Kerberos (3703, 192.168.31.53) Groups: S-1-5-21-80214499-1554138238-4006517166-1150, S-1-5-21-80214499-1554138238-4006517166-513, S-1-5-21-80214499-1554138238-4006517166-512, S-1-5-21-80214499-1554138238-4006517166-520, S-1-5-21-80214499-1554138238-4006517166-1110, S-1-5-21-80214499-1554138238-4006517166-519, S-1-5-21-80214499-1554138238-4006517166-518, S-1-5-21-80214499-1554138238-4006517166-1112, S-1-18-1

see attached log.


MWG blocks legitimate user based on the policy of checking User.Groups because there is no SID of group in mwg-core__Auth.debug.log at time when user is the member of the group for the client-system and AD. This information is shown in the rule tracing analysis:

___6.jpg

     URL http://www.csm-testcenter.org/

     Authentication.Username   admin

     Authentication.Usergroups S-1-5-21-80214499-1554138238-4006517166-1150,S-1-5-21-80214499-1554138238-4006517166-513,S-1-5-21-80214499-1554138238-4006517166-512,S-1-5-21-80214499-1554138238-4006517166-520,S-1-5-21-80214499-1554138238-4006517166-1110,S-1-5-21-80214499-1554138238-4006517166-519,S-1-5-21-80214499-1554138238-4006517166-518,S-1-5-21-80214499-1554138238-4006517166-1112,S-1-18-

     Block.Reason              Authorization failed

see attached rule tracing.

Therefore, the last group which sees mwg is S-1-18-1. S-1-18-1 is a new type of group that came with AD of Windows 2012 level. The name of S-1-18-1 is “Authentication authority asserted identity”.

After coming of this group some systems are not able to map this SID  (Unknown SID type <-> S-1-18-1) so vendors releases the hotfix (for example, Microsoft hotfix - https://support.microsoft.com/en-us/kb/2830145 ) .

Did anybody get such problem? How did you fix it?

P.S.: I think that we need to upgrade mwg Authentication engine for solving this issue.

Br

Vadym

1 Solution

Accepted Solutions
amart
Level 9

Re: MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Hi Vadym,

thanks a lot for your report. It's not new type of group but Resource SID Compression that prevents MWG from displaying all SIDs. Currently you have to disable Resource SID compression (see http://support.microsoft.com/en-us/kb/2774190) for MWG user in your AD as a workaround; problem will be fixed in the next MWG version.

User information is stored encoded in KERB_VALIDATION_INFO structure (2.5  KERB_VALIDATION_INFO) in the ticket. It is hidden in authorization item with type 128. 2 missing groups are marked as green (1151 == 0x047f and 572 == 0x23c).

KerbValidationDecoded.jpg

Best Regards,

Andrej.

0 Kudos
12 Replies
asabban
Level 17

Re: MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Hello,

unfortunately I don't have a Kerberos environment running right now so I am unable to reproduce the problem. If all the above analysis (nice work) is correct I strongly recommend to file a service request with support as they have the chance to analyse the provided data in depth, replicate the problem if required and escalate to engineering. It might be a limitation somewhere in MWG but I am not aware of any limitation here. Actually I have to admit my Kerberos knowledge is very limited, so it might be I miss something obvious here.

Maybe someone else can give some more helpful answer, I would file a service request with support anyway to make sure this problem gets resolved quickly.

Best,

Andre

0 Kudos
McAfee Employee

Re: MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Hi Vadym,

Please do let me know if you have an SR opened on it, I can take ownership of it.

I don't think you have missed anything obvious. The next step would be to get a tcpdump of this happening, and using the keytab to decrypt the ticket information to see if the SIDs are all included.

If you're interested in doing this yourself, you can do it with 32-BIT(!) Wireshark.

Best Regards,

Jon

0 Kudos
McAfee Employee

Re: MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Found the case, taking a look.

0 Kudos
vadym
Level 7

Re: MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Hello Jon.

The service request number is 4-9063008971.

I uploaded dumps (from client system and mwg) and keytab-file yesterday to the case. I have tried to decrypt the ticket just now and I have not found SIDs (only username, domain name, SPN). Please look to attached screenshot.

tcpdump_from_mwg.jpg

Could you please clarify where need to search SIDs in tcpdump?

Thanks!

Br

Vadym

0 Kudos
McAfee Employee

Re: MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Hi Vadym,

I looked at the data you sent over (tcpdump and keytab) and the SIDs are not in human readable form, so I am not sure how to parse them.

I'm guessing the groups are stored in the "authorization-data" in some encrypted/encoded/binary format that I'm not aware of. I tried hex-decoding the info, but it did not convert correctly.

I tried researching it and think it might be related to this:

https://msdn.microsoft.com/en-us/library/aa302203.aspx

My colleague Georg (who you are working with) has engaged the development engineer who works on the MWG's Authentication plugin, so you should be in good hands

Best Regards,

Jon

0 Kudos
amart
Level 9

Re: MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Hi Vadym,

thanks a lot for your report. It's not new type of group but Resource SID Compression that prevents MWG from displaying all SIDs. Currently you have to disable Resource SID compression (see http://support.microsoft.com/en-us/kb/2774190) for MWG user in your AD as a workaround; problem will be fixed in the next MWG version.

User information is stored encoded in KERB_VALIDATION_INFO structure (2.5  KERB_VALIDATION_INFO) in the ticket. It is hidden in authorization item with type 128. 2 missing groups are marked as green (1151 == 0x047f and 572 == 0x23c).

KerbValidationDecoded.jpg

Best Regards,

Andrej.

0 Kudos
McAfee Employee

Re: MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Ah yes! SID Compression! I mentioned that in the comments of the kerberos guide () but forgot about it!

Thanks Andrej!

0 Kudos
vadym
Level 7

Re: Re: MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Hello.

I tried to use the workaround (Resource SID Compression in Windows Server 2012 may cause authentication problems on NAS devices), but PowerShell script did not help and there is no such registry key in Windows Server 2012 R2 (see attached screenshots; Microsoft articles works only for MSWin Server 2012). Maybe have somebody workaround for 2012 R2?

Thanks in advance!

Best regards,

Vadym

0 Kudos
McAfee Employee

Re: MWG Authorize by Kerberos ISSUE: User Groups memebership and S-1-18-1

Jump to solution

Hi Vadym,

Very strange, I couldn't find it in mine either. I can explore further as time permits, but Andrei mentioned a fix should be in a new version.

Would it be possible to use LDAP(S) to perform group lookups in the meantime?

Best Regards,

Jon

0 Kudos