cancel
Showing results for 
Search instead for 
Did you mean: 
RayP
Level 7

Web Gateway / get local groups / authentication problems in child domains

Domain Level: Server 2012
Root Domain with 3 child domains.
The McAfee WebGateway version 7.1.6.1.0 (build 12742)


Situation:

ChildA.mycompany.com
           User1 is member of the global group ChildA\Internet_Users
ChildB.mycompany.com
           User2 is member of the global group ChildB\Internet_Users
ChildC.mycompany.com
           User3 is member of the global group ChildC\Internet_Users

mycompany.com has a domain local group named P_Default_Internet
     This Domain Local Group has the followig members:
                ChildA\Internet_Users
                ChildB\Internet_Users
                ChildC\Internet_Users
                Internet Users


The Web Gateway has the following ruleset:

Authenticate and Authorize
      -Authenticate with NTLM
             Default NTLM domain <empty>
             Send domain and machine name to the client <enabled>
             Get global groups <enabled>
             Get local groups <enabled>
             Prefix group name with domain name (domain\group) <enabled>
             Enable basic authentication <enabled>
             Enable integrated authentication <enabled>
             Enable NTLM cache <enabled>
             NTML Cache TTL 10 seconds
      -Authorize
             Only allow users of Allowed User Groups

                       The Allowed User Groups are:
                                  -ChildA\Internet_Users
                                  -ChildB\Internet_Users
                                  -ChildC\Internet_Users
                                  -Internet Users

The problem is:

When I uncheck "Get global groups" users of the root domain <mycompany.com> are still can access the internet, no problems.  Users of all child domains received the message "Your request has been blocked by McAfee Web Gateway because you have not been authorized and authorization is required.

     URL: http://the.internet.com
     User name: user1

When i check the "Get global grooups" it is working again.

Why are child domain users receiving this message? They are nested correctly within AD2012.

When I do a Authentication test within the Web Gateway is gives as test result OK.


Authentication Debugging:

[2014-01-10 08:39:20.318 +01:00] [15374] NTLM (89887, 10.1.51.17) URL: http://google.com/ Connection: 0x7f1f7115e840
[2014-01-10 08:39:20.318 +01:00] [15374] NTLM (89887, 10.1.51.17) Authentication didn't return values, failure ID: 4, authentication failed: 0
[2014-01-10 08:39:20.318 +01:00] [15374] NTLM (89887, 10.1.51.17) Added authentication method: Basic realm="McAfee Web Gateway"
[2014-01-10 08:39:20.318 +01:00] [15374] NTLM (89887, 10.1.51.17) Added authentication method: NTLM
[2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) URL: http://google.com/ Connection: 0x7f1f7115e840
[2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) Incoming credentials: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
[2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) NTLM cache returned status 2
[2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) Authentication didn't return values, failure ID: 0, authentication failed: 0
[2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) Added authentication method: Basic realm="McAfee Web Gateway"
[2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) Added authentication method: NTLM TlRMTVNTUAACAAAACgAAADAAAAAFgokAfF4/aR+pdUcAAAAAAAAAACoAAAA6AAAAYwBvAHMAdQBuAAEAFABDAE8AUwAxAE4AVwAxADAAMAAxAAIACgBjAG8AcwB1AG4AAAAAAA==
[2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) Stored NTLM cache keys in the connection
[2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) URL: http://google.com/ Connection: 0x7f1f7115e840
[2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) Incoming credentials: NTLM TlRMTVNTUAADAAAAGAAYAIIAAADMAMwAmgAAAAwADABYAAAADAAMAGQAAAASABIAcAAAAAAAAABmAQAABYKIAgYBsR0AAAAPN/M0gYNYPhCDJlNs4zEQlU0AQQBTAFQARQBSAEQASgBvAG4AZwAxAEQASQBOADEAWABQADAAMAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFcknqj4H+6v+ORnir3Vql0BAQAAAAAAAKKbfhTXDc8BnviKy7gum6sAAAAAAQAUAEMATwBTADEATgBXADEAMAAwADEAAgAKAGMAbwBzAHUAbgAIADAAMAAAAAAAAAABAAAAACAAAGI3FaUIVDeEnRuU/de2yw9a5rMXN8E6gZ48mZ62PKr9CgAQAAAAAAAAAAAAAAAAAAAAAAAJACYASABUAFQAUAAvADEAOQAyAC4AMQA2ADgALgAxADAANQAuADMANgAAAAAAAAAAAA==
[2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) Loaded NTLM cache keys from the connection
[2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) NTLM cache returned status 3
[2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) Authenticated: 1
[2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) Method: NTLM
[2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) Realm: ChildA
[2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) User: User1

Regards,

Ray

0 Kudos