2 Replies Latest reply on Dec 10, 2015 7:55 AM by belvincent

    Getting AD User Groups (including nested) when using MCP

    belvincent

      Hi,

       

      MCP only returns Active Directory Groups that users are direct members of (because it gets information locally on the end user computer). NTLM Authentication returns all groups, including nested Groups (Groups inside Groups).

       

      As we are using Groups (some of them being nested) for matching users' policies to browse the Internet, the information sent by MCP is thus not enough.

       

      We require MCP because it allows us to proxify all traffic (which allows us to intercept portable browsers).

       

      We are currently stuck because MCP does not work well with NTLM authentication configured on the Web Gateways.

       

      If I am not mistaken, MCP sends the authentication credentials it gets locally on the end user computer into HTTP headers (populating X-SWEB-AuthUser, X-SWEB-AuthGroups, etc.). If MWGs are configured to accept only NTLM authentication, it ignores the information sent by MCP in the header and sends back a HTTP 407 Authentication Required (as expected), which is ignored / not handled / dropped by the MCP client.

       

      In the end, users get a Blocking Page and cannot surf.

       

      Notes: If MCP is disabled on the end user, everything is fine. If MCP authentication is accepted on the MWG, everything is fine (except we do not have nested groups).

       

      How can we make the MCP client work properly with MWGs using only NTLM authentication?

      NTLM_with_MCP.png