2 Replies Latest reply on Feb 19, 2015 9:38 AM by lubomir.cerny

    Kerberos authentication + groups names

    lubomir.cerny

      Hi folks.

      I follow kerberos guide with MWG 7.4.2.7. I can get user autenticate OK, but MWG does not return any groupnames. I have 2 questions:

       

      1. Is there a way to get group names from Kerberos without NTLM at all ?
      2. may I use Authentication.UserGroups function to work with groups fetch during kerberos auth ?

       

      Am I correct that Kerberos with NTLM Fallback still needs NTLM to fetch group names ? There is default settings in Kerberos settings:

      2015-02-17 11_40_14-Edit Settings.png

        • 1. Re: Kerberos authentication + groups names
          ifrank

          Like the checkbox says, you can extract the group IDs from the ticket. Not the group names. Get the group SID from your AD admin and replace the group name in your rules with the SID string.

          • 2. Re: Kerberos authentication + groups names
            lubomir.cerny

            Ok works now.

            My mistake was to use Authentication.GetUserGroups in one rule which returns empty value and blocked all other rules.

             

            Also using Kerberos auth, all group names fetched from kerberos ticket are without domain name part ie: domain\groupname -> groupname

             

            So:

            with NTLM help the Authentication.UserGroups returns groupnames without domain part

            without NTLM help, only sid ids are returned as value ie: S-1-5-21-796845957-1979792683-725345543-34410

             

            thx.

            have a nice day.