1 2 Previous Next 17 Replies Latest reply on Sep 24, 2014 3:39 PM by Jon Scholten

    MWG 7.1 and Kerberos issues


      Hi, Im trying to test kerberos authentication with 2003 AD and MWG 7.1.0, after creating the keytab I try to upload to MWG and nothing happens . I don´t know if the syntax is correct or its a bug , I search for the keytabs via shell prompt but no way, appears that never was imported the file.


      sorry my english friends.please I need some light with this issue.

      my check list is


      Create a DNS record for MWG

      Create a user account for the service

      time and date between MWG and KDC sync ok

      Internet explorer settings ok


      ktpass syntax  ktpass -princ HTTP/mymwg.mydomain.loc@MYDOMAIN.LOC -mapuser mwg71 -pass mypass -crypto  DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL


      by the way I have EWS 5.5  and EWS 5.6 working like a charm with kerberos. 

        • 1. Re: MWG 7.1 and Kerberos issues

          Here is my checklist, maybe it contains a step and some info that helps you.


          Every user (client) must exist in the AD /kerberos database

          1. Create a user account for the host computer on which proxy Server runs in the Active Directory server. (Select New -> User, not New -> Machine.)
            • When creating the user account, use the simple name of the computer. For example, if the host is named myProxy.example.com, create a user in Active Directory called myProxy. Note the password you defined when creating the user account. You will need it in step 3. Do not select the User must change password at next logon option, or any other password options.

          2. Configure the new user account to comply with the Kerberos protocol. The user account's encryption type must be DES.
            • Right-click the name of the user account in the Users tree in the left pane and select Properties.
            • Select the Account tab and check the box "Use DES encryption types for this account." Make sure no
              • other boxes are checked, particularly the box "Do not require Kerberos pre-authentication."
            • Setting the encryption type may corrupt the password. Therefore, you should reset the user password by right-clicking
              • the name of the user account, selecting Reset Password, and re-entering the same password specified earlier.
          3. Create a user mapping  and a kerberos Keytab file (krb5kt) using the ktpass utility: ktpass.exe is part of the 'Support Tools"




          Message was edited by: michael_schneider on 18/05/2011 13:01:04 CEST
          1 of 1 people found this helpful
          • 2. Re: MWG 7.1 and Kerberos issues

            well Michael I follow the additional steps (vey usefull thanks you!) but now I ve got the following error when tying to authenticate and seems the keytab was not  uploaded to appliance cos I can not find anywhere...


            [Auth] [KerberosAuthentication] SPNEGOExtractNegotiateToken SPNEGO error : SPNEGOExtractNegotiateToken() failed

            • 3. Re: MWG 7.1 and Kerberos issues

              Hello Herman and Michael,


              I'm having the same error message (SPNEGOExtractNegotiateToken SPNEGO error : SPNEGOExtractNegotiateToken() failed) in the mwg-logfiles.


              Since we proved that kerberos works fine on the linux shell (kinit -V -k -t <keytab-file.keytab> -> Authorized, ... and ... kinit -V <AD-User> -> Authorized), we assume a module using the kerberos engine is responsible for this error message.


              Hints on this would be much appreciated.


              Nachricht geändert durch uwegoldenstein on 16.06.11 07:46:51 CDT
              • 4. Re: MWG 7.1 and Kerberos issues
                Jon Scholten

                Hi Uwe,


                Some problems that can lead to those errors are:

                -time on WG is not in sync with user's clock

                -how you are accessing the proxy (do you have the IP set in the proxy settings? or do you have the FQDN set?) you will need to have the name specified during keytab creation, so in Herman's example it was "HTTP/mymwg.mydomain.loc@MYDOMAIN.LOC"

                In this case you would need "mymwg.mydomain.loc" in the proxy settings.


                The main catch that stumped me when I first attempted to use kerberos was the second bullet point. Make sure you are using the proxy as you specified when generating the keytab file.



                1 of 1 people found this helpful
                • 5. Re: MWG 7.1 and Kerberos issues

                  Thanks to Jon , now I can use kerberos , in my case the problem was the time sync, I was set the time date manually in my MWG but Jon sets sync with an NTP server... ufff .... thanks again Jon !! I think that is time to someone write the appropiate KB or/and add to the product guide the step by step.


                  • 6. Re: MWG 7.1 and Kerberos issues
                    Jon Scholten

                    I'll work on putting something together in the coming weeks, I'll add it to the documents section of the community along with my other articles.



                    • 7. Re: MWG 7.1 and Kerberos issues
                      Jon Scholten

                      I put a document together based on my experiences with Kerberos.


                      See: https://community.mcafee.com/docs/DOC-2682


                      It's quite comprehensive, please leave any comments if you notice any errors, or see room for improvment.



                      • 8. Re: MWG 7.1 and Kerberos issues

                        Good night,

                        I apologize for my English, and to be resurrecting the post, if you need to carry elsewhere let me know.

                        I have problems in the implementation of the Kerberos authentication, follow the referenced document here reviewed the guidelines given here, however unsuccessfully in my implemntion.

                        When running the command "tail--f /opt/mwg/log/mwg errors/mwg-core.errors.log" I have this error.


                        [09/19/2014 17: 34: 25 929 -03: 00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' SPNEGO 'error:' SPNEGOExtractNegotiateToken () failed '


                        If someone has a detailed step by step how to deploy would be very useful.

                        I appreciate any help.

                        • 9. Re: MWG 7.1 and Kerberos issues
                          Jon Scholten

                          Hi Wemerson,


                          This is a realllllllly old thread.


                          The error you pasted indicates that the client could not get a ticket, so a step must have been missed in the Kerberos setup.


                          The full setup guide is listed above: Web Gateway: Understanding and Configuring Kerberos (extended guide)




                          1 2 Previous Next