5 Replies Latest reply: Mar 18, 2013 11:01 AM by asabban RSS

    Fallback Authentication kerberos and LDAP




      i've tried to implement a fallback authentication Rule:

      1. Kerberos

      2. LDAP (if Kerberos failed)


      But it doesn't work. The Browser always chooses Kerberos.

      I've already tested the "Authenticate against Multiple Directories"-Ruleset and read this:

      "This rule set will not work for prompt-less authentication, or mixed authentication

      methods such as integrated for NTLM plus basic for LDAP"


      Is it possible that it doesn't work with Kerberos because it's the same behaviour as with integrated NTLM?


      kind regards

        • 1. Re: Fallback Authentication kerberos and LDAP



          yes that is true. I believe MWG will tell the browser that we support "Negotiate" and "Basic" as methods to authenticate. The browser will pick the strongest one (Negotiate) and fail to do basic. If I remember correctly it is required to use the "Authentication.ClearMethodList" Event to clear out the offered methods to the browser, so that the browser will use basic.


          I think we have an example rule set somewhere, I will see if I can find it.




          • 2. Re: Fallback Authentication kerberos and LDAP

            Here is an example:



            I have not tested it, so I cannot guarantee that is works, but maybe you can give it a try?




            • 3. Re: Fallback Authentication kerberos and LDAP



              yes this ruleset works.

              Thanks for your support.




              • 4. Re: Fallback Authentication kerberos and LDAP

                Hello Andre,


                the rule set works fine. But now I wanted to extend the policy with getting LDAP group details for authorisation.


                Here is my the policy:




                With this new ruile I have a problem, that from time to time the user gets a "not authorized" message. Does the user refresh the site with F5, the site is displayed.

                If I place the Get-UserGroup rule after the LDAP authentication rule, the authorization don't work anymore.


                Do you have any idea why?

                May be my additional rule is not correct?



                Thanks and Regards,



                Nachricht geändert durch vkloezer on 18.03.13 07:07:38 CDT
                • 5. Re: Fallback Authentication kerberos and LDAP

                  Hi Viktor,


                  basically the rules look OK for me. I am curious about the "from time to time" statement. Does this mean that the error pops up randomly? Is there anything you can point out when the issue occurs or can you reliably replicate the issue when you do a specific action?


                  I would assume that when the rule works for most request the rule should be correct. If you can try you could move the additional rule that looks up the group membership and place it to a separate rule set which you call once authentication is provided.


                  Does the issue occur with the additional rule disabled?


                  For me it sounds like there is maybe a problem for MWG when trying to check the credentials against kerberos/the LDAP server (looks like a sporadic issue). Maybe a deeper analysis is required, so I recommend to file a service request (if not already done) and provide them with a feedback and some packet captures which show the issue. Support should then be able to clearly point out what is going wrong.


                  So far the issue does not sound familiar, sorry :-(