Knowledge Center

Authentication in context of disabled SMB v1 (McAfee Web Gateway NTLM authentication fails after you disable SMBv1)
Technical Articles ID:   KB89350
Last Modified:  10/21/2019


McAfee Web Gateway (MWG)
Microsoft Windows Server


Following several recent events, including the move to SHA-2 and the Ransomware WannaCry attack, you might have disabled the legacy SMBv1 protocol in your environment.
This action leads to a situation in which McAfee Web Gateway cannot use its native NTLM integration anymore because it is not SMBv2-compatible.

McAfee Web Gateway uses SMBv1 connections for traffic between MWG and the Windows Domain Controller. Because SMBv1 is disabled, MWG can no longer communicate with the Active Directory servers and NTLM authentication no longer works.

The Windows Domain Membership status LED in the MWG manager under Configuration, Windows Domain Membership turns red,
and the mwg-core_Auth.debug.log will contain the following error:
SMB connection can't be established


To avoid or resolve this issue, update your Windows Server Active Directories with Microsoft Security Bulletin MS17-010.

This security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.

If you have enabled automatic updates, this update will already have been installed to your Windows Server(s).

After installation to your servers, if you have disabled SMBv1, re-enable it.


Alternative Secure Authentication variants

To continue using seamless transparent authentication, McAfee Web Gateway offers alternative authentication methods:
  • NTLM Agent
  • McAfee Client Proxy
  • Kerberos

NTLM Agent
With NTLM agent, McAfee Web Gateway communicates with an authentication broker, the NTLM Agent, which needs to be installed on a member server of the domain. MWG will replay the authentication messages to that agent, which then does a system call and lets Windows system validate the credentials. Windows will follow whatever Windows is configured to do and by that the compatibility issue is removed.

For further information and to download the NTLM Agent, see:

McAfee Client Proxy (MCP)
McAfee Client Proxy is a software agent that is installed on endpoints. It is fully ePO-managed and integrates with Endpoint Security (ENS) 10.5 through shared components and a bundled install for easy deployment.

MCP redirects web traffic to MWG and authenticates the user against MWG. It reads out the currently logged on user and adds user and group information into the HTTP Header section which is then read by MWG and used for authentication.
MCP is available on all active Windows platforms, including Client and Server, and Apple’s macOS.

For further information and to download the McAfee Client Proxy, see:

Kerberos is the default authentication method in most modern Windows environments. It can help to relieve the domain controller because it is based on tickets rather than direct contact with the Domain Controller. Setting up Kerberos is documented in the Expert Center.

Because MWG includes a component where customers can resolve the retrieved SIDs to clear text group names using SMB1, you must either base your group mapping on SIDs or use LDAPS to request group membership details for an authenticated user.

To use SIDs for policy mapping directly, Windows provides a tool to perform the lookup. Execute the following command on a domain member:
dsquery group -name "Administrators" | dsget group –sid

For example:
PS C:\Users\Administrator> dsquery group -name "Administrators" | dsget group -sid
dsget succeeded
This step enables MWG to perform authentication and policy decisions without the need to open an SMB1 connection to a domain controller.

As an alternative solution, clear text group names for a user can be retrieved using the Authentication.GetUserGroups property after successful Kerberos authentication.
This property requires a valid LDAP configuration for user authentication.

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.