cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Izalith6
Level 7
Report Inappropriate Content
Message 1 of 2

Need guidance on authentication (kerberos)

I'm just a bit lost in general. I've read through the Kerberos extended guide but I don't feel it is completely clear and is kind of disjointed, despite all the good information it contains.

Basically, this client doesn't care what form of authentication they have, they just want to see user names in the logs. I chose Kerberos because I have experience with it (via IWA), but have never set it up on the web gateway. If there is a method that would work better in my deployment, I would love to hear about it.

The deployment is 6 MWGs in a management cluster, loadbalanced via WCCP. My understanding is that for this to work, it will be necessary to associate the SPN of each web gateway with a single keytab user in Active Directory. That single keytab user is then associated with the keytab file which is imported into ALL of the web gateways. Is my understanding correct?

Also, I know they want auth to be transparent. For it to work in kerberos, we have to add the FQDN of each MWG to the trusted sites in the browsers. This can be pushed out via GPO. Is that correct as well?

Any other gotchas I should know about? Is there an auth method that may work better with WCCP and multiple MWGs. Just need a bit of guidance here. Thanks a lot!

 

1 Reply
aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Need guidance on authentication (kerberos)

Hi,

Hope you are doing well.

WCCP is being used which is transparent setup. Authentication server authentication rule set  is generally recommended for autneitcation in transparent setup. Authentication server is a session based authentication. Authentication server requires a trust relationship with the browser.

 

The recommended authentication "front-end" for a transparent setup is the Authentication Server. The authentication server works by storing the user's information into a session database. For brevity's sake a user's session consists of their IP address, username, and session expiration time. Each time a request is made, the session database is checked to see if a session exists for the user's IP. If a session exists, the request is passed through. If a session does not exist, a redirect is sent in response to the request. The requesting machine should follow the redirect and authentication will be performed. If the user provides valid credentials, a session is stored and a the McAfee Web Gateway issues another redirect back to the originally requested URL

 

 

Please refer below link for more information on this:-

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Choosing-the-right-Authentication-Method-for-y...

 

 

As the Web Gateway issues a redirect to itself when a request is made, there are some client side settings that need to be changed in order to establish a trust relationship between the Web Gateway and the client/browser (which will allow for promptless authentication when using NTLM or Kerberos).

 

Look for Browser security settings  in above link.

 

 

In case of Time/IP Based authentication which is generally used with transparent deployment does not work without HTTPS Scanning if you start browsing to an HTTPS web site as first request as their is no CONNECT request as well in transparent setup.

There is no CONNECT request in transparent proxy modes.If there is a CONNECT request MWG can answer a "302" and redirect the client to the authentication server for authentication. If SSL Scanner is enabled MWG can modify the response and redirect the client to the authentication server. If both is not present (transparent proxy, no SSL Scanner) MWG does not have any chance to authenticate the very first request if it is an HTTPS request.

The problem is if you don't have any existing authentication session and start browsing to an HTTPS web site., Since you don't have SSL Scanner enabled MWG cannot make a redirect to the authentication server.

Because there is no CONNECT request to answer a redirect and there is no way for MWG to intercept the communication, So this request is allowed without authentication.

If you go to an HTTP website and authenticate before you go to an HTTPS web site all is good, because then you have an existing authentication session.

 

 

Your understanding related to kerboras is correct.

 

https://community.mcafee.com/t5/Documents/Web-Gateway-Three-Headed-Dog-v1-0-3-A-Kerberos-Setup-Tool/...

 

 

Regards

Alok Sarda

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community