cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bjoernt
Level 9
Report Inappropriate Content
Message 1 of 2
‎12-09-2020 03:16 AM

Rule-Set stops at Kerberos-Authentication

Hi together,

beacause of this "KB Web Gateway response to CVE-2020-1472 (mcafee.com)" i want to change the Authentication-Method from NTLM to Kerberos.
AD-User and keytab-file is ready and imported to MWG, MWG is member of the domain. i build the Rule-Set and now it seems that the Rule-Set stops at the Auth-Rule:

I try this two Methods:

First:

image.png

image.png

Result in Troubleshooting:

image.png

Second:

image.pngimage.png

Result in Troubleshooting: 

image.png

In the Allowed-Group IDs are the IDs from the AD-Groups and in the Allowed User Groups are the Names of the AD-Groups.

Can anyone tell me what is wrong in the rulset?

Thanks
Bjoern

 

 

 

 

0 Kudos
Reply
1 Reply
mkutrieba
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 2
‎03-23-2021 04:59 AM

Re: Rule-Set stops at Kerberos-Authentication

Hello @bjoernt,

I know its (probably too) late and I hope you could already resolve this but still wanted to answer here.

It seems like this is the initial request which just hits the authentication rule set which forces the MWG to respond to the client and offering the authentication methods you have configured (e.g. "Negotiate"). Now, client should come back with a second request including Kerberos details and so authentication should be performed.

To troubleshoot this, more details would be needed and this should be done via SR as debug data is needed which is so sensitive for community. Most likely in such scenarios, clients come back with wrong authentication header or keytab is improperly configured. If there are errors, the error lines should be displayed in mwg-core.errors.log.

So the allowed groups and names rule was not yet working as authentication did not yet happen. Saying more would just be guessing around as this information/data is not enough.

If you have more specific questions, I can try to answer them.

Regards,
Marcel Kutrieba
Technical Support Engineer

If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC