cancel
Showing results for 
Search instead for 
Did you mean: 
aurimas
Level 7

MWG problem: Kerberos authentication prompting non domain computers

Hi,

I have configured Kerberos authentication on my MWG 7.4.2.2.0. I am using NTML to get group information. I used this guide https://community.mcafee.com/docs/DOC-2682

It works fine with domain computers where users are logged in. But then computer is not in domain or it is linux work station it prompts for user name and password. Entering legit credentials doesn’t work and prompts again and again…

With NTML authentication entering credentials worked fine.

Where could be the problem?

Or maybe it is possible to turn off prompting for non domain workstations and just block them for good?

Thanks.

0 Kudos
6 Replies
McAfee Employee

Re: MWG problem: Kerberos authentication prompting non domain computers

Hi Audimas!

If you have a non-domain machine, it is expected that authentication will fail.

Since they are not on the domain, the machine will not know where the DC (KDC) is, and therefore will not be able to get a ticket.

I would suggest implementing NTLM fallback or try auth.

Best,

Jon

aurimas
Level 7

Re: MWG problem: Kerberos authentication prompting non domain computers

Hi Jon,

As I understand when MWG asks workstation for Kerberos authentication, workstation must communicate with DC to get some kind of ticket, and with that ticket workstation can authenticate with MWG, am I right?

I read this discussion https://community.mcafee.com/message/260303 and I used your suggested “true ntlm fallback with kerberos v2“ rule set, but I would like to know is it possible to turn off prompting for non-domain workstations and just block them?

Best,

Aurimas.

0 Kudos
McAfee Employee

Re: MWG problem: Kerberos authentication prompting non domain computers

You can create two rules with the following criteria and action:

-Name: Try Auth for Kerberos

-Criteria: Authentication.Authenticate<Kerberos> AND Authentication.Failed equals false

-Action: Authenticate

-Name: Block if failed auth

-Criteria: Authentication.Failed equals true

-Action: Block

Best,

Jon

0 Kudos
john10
Level 7

Re: MWG problem: Kerberos authentication prompting non domain computers

Hi Jon n Aurimas

I have exactly the same scenario to implement authentication for Domain machines as well as Linux and MAC os.

Personally I wouldn't put the block rule. It would be good to have Linux and MAC authenticated and let them access the Internet

Is there a rule set that can be deployed to Authenticate Linux and Mac os? This will enhance the security because Usernames are captured and we can keep track of browsing activity of Linux and MAC users.

I am using present Kerberos with NTLM fallback rule to track Windows users. It is not helping Linux and Mac users.

Thank you

Regards

John

0 Kudos
McAfee Employee

Re: MWG problem: Kerberos authentication prompting non domain computers

The block rule is optional, it would help understand if a user failed authentication or not.

We have Mac's here and kerberos authentication has worked well assuming that the mac is joined to the domain.

Best Regards,

Jon

0 Kudos
john10
Level 7

Re: MWG problem: Kerberos authentication prompting non domain computers

Hi Jon,

Good point! But the challenge in my environment is that MAC pc's are not joined to the domain.

Is there a way to open specific websites for a say 1 hour only for a specific set of MAC & Linux users?? If I understand it right, unless these users are authenticated it can't be achieved. Am I right?

Do you know the best way to get this issue addressed?

Some pointers should help me

Thanks in advance

Regards

John

0 Kudos