Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1429 Views 5 Replies Latest reply: Mar 18, 2013 11:01 AM by asabban RSS
itagsupport Apprentice 77 posts since
Aug 27, 2010
Currently Being Moderated

Mar 12, 2012 7:27 AM

Fallback Authentication kerberos and LDAP

Hi,

 

i've tried to implement a fallback authentication Rule:

1. Kerberos

2. LDAP (if Kerberos failed)

 

But it doesn't work. The Browser always chooses Kerberos.

I've already tested the "Authenticate against Multiple Directories"-Ruleset and read this:

"This rule set will not work for prompt-less authentication, or mixed authentication

methods such as integrated for NTLM plus basic for LDAP"

 

Is it possible that it doesn't work with Kerberos because it's the same behaviour as with integrated NTLM?

 

kind regards

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Mar 12, 2012 8:20 AM (in response to itagsupport)
    Re: Fallback Authentication kerberos and LDAP

    Hello,

     

    yes that is true. I believe MWG will tell the browser that we support "Negotiate" and "Basic" as methods to authenticate. The browser will pick the strongest one (Negotiate) and fail to do basic. If I remember correctly it is required to use the "Authentication.ClearMethodList" Event to clear out the offered methods to the browser, so that the browser will use basic.

     

    I think we have an example rule set somewhere, I will see if I can find it.

     

    Best,

    Andre

  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. Mar 12, 2012 8:26 AM (in response to asabban)
    Re: Fallback Authentication kerberos and LDAP

    Here is an example:

     

    Auswahl_383.png

    I have not tested it, so I cannot guarantee that is works, but maybe you can give it a try?

     

    Best,

    Andre

  • vkloezer Newcomer 2 posts since
    Aug 4, 2011
    Currently Being Moderated
    4. Mar 18, 2013 7:07 AM (in response to asabban)
    Re: Fallback Authentication kerberos and LDAP

    Hello Andre,

     

    the rule set works fine. But now I wanted to extend the policy with getting LDAP group details for authorisation.

     

    Here is my the policy:

     

    Authentication_Ruleset.PNG

     

    With this new ruile I have a problem, that from time to time the user gets a "not authorized" message. Does the user refresh the site with F5, the site is displayed.

    If I place the Get-UserGroup rule after the LDAP authentication rule, the authorization don't work anymore.

     

    Do you have any idea why?

    May be my additional rule is not correct?

     

     

    Thanks and Regards,

    Viktor

     

    Nachricht geändert durch vkloezer on 18.03.13 07:07:38 CDT
  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009
    Currently Being Moderated
    5. Mar 18, 2013 11:01 AM (in response to vkloezer)
    Re: Fallback Authentication kerberos and LDAP

    Hi Viktor,

     

    basically the rules look OK for me. I am curious about the "from time to time" statement. Does this mean that the error pops up randomly? Is there anything you can point out when the issue occurs or can you reliably replicate the issue when you do a specific action?

     

    I would assume that when the rule works for most request the rule should be correct. If you can try you could move the additional rule that looks up the group membership and place it to a separate rule set which you call once authentication is provided.

     

    Does the issue occur with the additional rule disabled?

     

    For me it sounds like there is maybe a problem for MWG when trying to check the credentials against kerberos/the LDAP server (looks like a sporadic issue). Maybe a deeper analysis is required, so I recommend to file a service request (if not already done) and provide them with a feedback and some packet captures which show the issue. Support should then be able to clearly point out what is going wrong.

     

    So far the issue does not sound familiar, sorry :-(

     

    best,

    Andre

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points