2 Replies Latest reply on Dec 18, 2016 4:20 PM by lozaza

    MAC GTI communication via proxy failed with Unsupported authentication scheme: Negotiate

    lozaza

      Product versions: ePO 5.1.3

      Solidcore extension: 7.0.1.160

       

      We are experiencing difficulties communicating GTI cloud from our ePO server via proxy. It only happens when ePO talking to mace.rest.gti.mcafee.com and cwl.gti.mcafee.com.

       

      We saw in wireshark, when the proxy sends 'authentication required' back to ePO, it sends connection reset straight back.

       

      The error in ePO console for fetch binary task basically saying Unsupported authentication scheme: Negotiate

      In the orion log it says

      Caused by: java.lang.IllegalStateException: Unsupported authentication scheme: Negotiate               

                     at org.apache.http.auth.AuthSchemeRegistry.getAuthScheme(AuthSchemeRegistry.java:1 15)              

                       at org.apache.http.auth.AuthSchemeRegistry$1.create(AuthSchemeRegistry.java:151)               

                       at org.apache.http.impl.client.AuthenticationStrategyImpl.select(AuthenticationStr ategyImpl.java:188)             

                      at org.apache.http.impl.client.ProxyAuthenticationStrategy.select(ProxyAuthenticat ionStrategy.java:43) 

                     at org.apache.http.impl.auth.HttpAuthenticator.handleAuthChallenge(HttpAuthenticat or.java:154)  

                         at org.apache.http.impl.client.HttpAuthenticator.authenticate(HttpAuthenticator.ja va:58)

                      at org.apache.http.impl.client.DefaultRequestDirector.createTunnelToTarget(Default RequestDirector.java:891)

                      at org.apache.http.impl.client.DefaultRequestDirector.establishRoute(DefaultReques tDirector.java:795)

                      at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDir ector.java:615)

                      at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirect or.java:446)

                      at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.jav a:882) 

                     at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.jav a:82) 

                     at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.jav a:107)

                      at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.jav a:55)

                      at com.mcafee.scor.cloud.GTICloudHandler.exceuteRequest(GTICloudHandler.java:208)

                      at com.mcafee.scor.cloud.GTICloudHandler.processRequest(GTICloudHandler.java:129)

                      ... 25 more ERROR [http-bio-8443-exec-29] service.RetryServiceWithProxyAuthentication  - An exception occurred while communicating with Cloud through proxy without kerberos.

       

      I found a known issue on KB85710 1050955   Issue: With ePO 5.x, GTI communication using Kerberos authentication fails when using a proxy server.

       

      Our proxy server actually offered client two authentication:

      proxy-authentication: NEGOTIATE\r\n

      proxy-authentication: NTLM\r\n

       

      But when ePO talks to epo.mcafee.com, seems like epo is able to pick NTLM then provide account to authenticate in proxy.

       

      My question is, correct me if I am wrong, solidcore extension doesn't support kerberos authentication when talking to GTI cloud via proxy. Then how can I force it to use NTLM to at least go past proxy or is there a way around it. Thanks JS

        • 1. Re: MAC GTI communication via proxy failed with Unsupported authentication scheme: Negotiate
          syedali

          Hi

           

          Please try the below workaround

           

          Workaround

          Create an entry in the hosts file for the GTI Cloud Server FQDN and IP address:

           

          1. Resolve the DNS name (cwl.gti.mcafee.com) from a system that is connected to the Internet. This should resolve to the following entry:

            NOTE:
            If there are any differences, contact Technical Support.

            FQDN Name: cgl.gti.mcafee.com
            IP Address: 216.203.40.95
          2. On the ePO server, click Start, Run, type explorer, and click OK.
          3. Navigate to:

            %SYSTEMROOT%\System32\Drivers\etc

          4. Right-click the Hosts file and select Open With.
          5. Select to edit the file with Notepad.
          6. Add the entry for cwl.gti.mcafee.com and save the file.

          Workaround

          Specify the IP address of the GTI Cloud Server underApplication Control GTI Cloud Registered Server in ePO:

          1. Resolve the DNS name (cwl.gti.mcafee.com) from a system that is connected to the Internet. This should resolve to the following entry:

            NOTE:
            If there are any differences, contact Technical Support.

            FQDN Name: cgl.gti.mcafee.com
            IP Address: 216.203.40.95
          2. Log on to the ePO 4.x console.
          3. Click Menu, Configuration, Registered Servers.
          4. Click Actions, Edit for the Application Control GTI Cloud Server entry under Registered Servers.
          5. Specify the IP address in the Input Parameter entry for the following items:

            • Application Control GTI Cloud Server Address
            • Application Control GTI Cloud feedback Server Address
          6. Click Save.
          • 2. Re: MAC GTI communication via proxy failed with Unsupported authentication scheme: Negotiate
            lozaza

            All the settings of GTI servers in terms of URLs seem good. We have also updated certificate. Problem is It just cannot authenticate in PROXY.