0 Replies Latest reply on Jan 10, 2014 4:28 AM by RayP

    Web Gateway / get local groups / authentication problems in child domains

    RayP

      Domain Level: Server 2012
      Root Domain with 3 child domains.
      The McAfee WebGateway version 7.1.6.1.0 (build 12742)


      Situation:

       

      ChildA.mycompany.com
                 User1 is member of the global group ChildA\Internet_Users
      ChildB.mycompany.com
                 User2 is member of the global group ChildB\Internet_Users
      ChildC.mycompany.com
                 User3 is member of the global group ChildC\Internet_Users

       

      mycompany.com has a domain local group named P_Default_Internet
           This Domain Local Group has the followig members:
                      ChildA\Internet_Users
                      ChildB\Internet_Users
                      ChildC\Internet_Users
                      Internet Users


      The Web Gateway has the following ruleset:

      Authenticate and Authorize
            -Authenticate with NTLM
                   Default NTLM domain <empty>
                   Send domain and machine name to the client <enabled>
                   Get global groups <enabled>
                   Get local groups <enabled>
                   Prefix group name with domain name (domain\group) <enabled>
                   Enable basic authentication <enabled>
                   Enable integrated authentication <enabled>
                   Enable NTLM cache <enabled>
                   NTML Cache TTL 10 seconds
            -Authorize
                   Only allow users of Allowed User Groups

                             The Allowed User Groups are:
                                        -ChildA\Internet_Users
                                        -ChildB\Internet_Users
                                        -ChildC\Internet_Users
                                        -Internet Users

      The problem is:

      When I uncheck "Get global groups" users of the root domain <mycompany.com> are still can access the internet, no problems.  Users of all child domains received the message "Your request has been blocked by McAfee Web Gateway because you have not been authorized and authorization is required.

           URL: http://the.internet.com
           User name: user1

       

      When i check the "Get global grooups" it is working again.

       

      Why are child domain users receiving this message? They are nested correctly within AD2012.

       

      When I do a Authentication test within the Web Gateway is gives as test result OK.


      Authentication Debugging:

      [2014-01-10 08:39:20.318 +01:00] [15374] NTLM (89887, 10.1.51.17) URL: http://google.com/ Connection: 0x7f1f7115e840
      [2014-01-10 08:39:20.318 +01:00] [15374] NTLM (89887, 10.1.51.17) Authentication didn't return values, failure ID: 4, authentication failed: 0
      [2014-01-10 08:39:20.318 +01:00] [15374] NTLM (89887, 10.1.51.17) Added authentication method: Basic realm="McAfee Web Gateway"
      [2014-01-10 08:39:20.318 +01:00] [15374] NTLM (89887, 10.1.51.17) Added authentication method: NTLM
      [2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) URL: http://google.com/ Connection: 0x7f1f7115e840
      [2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) Incoming credentials: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
      [2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) NTLM cache returned status 2
      [2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) Authentication didn't return values, failure ID: 0, authentication failed: 0
      [2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) Added authentication method: Basic realm="McAfee Web Gateway"
      [2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) Added authentication method: NTLM TlRMTVNTUAACAAAACgAAADAAAAAFgokAfF4/aR+pdUcAAAAAAAAAACoAAAA6AAAAYwBvAHMAdQBuAAE AFABDAE8AUwAxAE4AVwAxADAAMAAxAAIACgBjAG8AcwB1AG4AAAAAAA==
      [2014-01-10 08:39:20.366 +01:00] [15387] NTLM (89888, 10.1.51.17) Stored NTLM cache keys in the connection
      [2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) URL: http://google.com/ Connection: 0x7f1f7115e840
      [2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) Incoming credentials: NTLM TlRMTVNTUAADAAAAGAAYAIIAAADMAMwAmgAAAAwADABYAAAADAAMAGQAAAASABIAcAAAAAAAAABmAQA ABYKIAgYBsR0AAAAPN/M0gYNYPhCDJlNs4zEQlU0AQQBTAFQARQBSAEQASgBvAG4AZwAxAEQASQBOADE AWABQADAAMAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFcknqj4H+6v+ORnir3Vql0BAQAAAAAAAKK bfhTXDc8BnviKy7gum6sAAAAAAQAUAEMATwBTADEATgBXADEAMAAwADEAAgAKAGMAbwBzAHUAbgAIADA AMAAAAAAAAAABAAAAACAAAGI3FaUIVDeEnRuU/de2yw9a5rMXN8E6gZ48mZ62PKr9CgAQAAAAAAAAAAA AAAAAAAAAAAAJACYASABUAFQAUAAvADEAOQAyAC4AMQA2ADgALgAxADAANQAuADMANgAAAAAAAAAAAA= =
      [2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) Loaded NTLM cache keys from the connection
      [2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) NTLM cache returned status 3
      [2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) Authenticated: 1
      [2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) Method: NTLM
      [2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) Realm: ChildA
      [2014-01-10 08:39:20.391 +01:00] [15384] NTLM (89889, 10.1.51.17) User: User1

       

       

      Regards,

      Ray