Loading...

Knowledge Center


Authentication in context of disabled SMB v1 (McAfee Web Gateway NTLM authentication fails after you disable SMBv1)
Technical Articles ID:   KB89350
Last Modified:  5/19/2017
Rated:


Environment

McAfee Web Gateway (MWG) 7.x
Microsoft Windows Server

Problem

Following several recent events, including the move to SHA2 and the Ransomware WannaCry attack, you may have disabled the legacy SMBv1 protocol in your environment.
This leads to a situation in which McAfee Web Gateway cannot leverage its native NTLM integration anymore because it is not SMBv2-compatible.

McAfee Web Gateway uses SMBv1 connections for traffic between MWG and the Windows Domain Controller. However, as a result, MWG can no longer communicate with the Active Directory servers and NTLM authentication no longer works.

The Windows Domain Membership status LED in the MWG manager under Configuration, Windows Domain Membership turns red
and the mwg-core_Auth.debug.log will contain the following error:
 
SMB connection can't be established

Solution

To avoid or resolve this issue, patch your Windows Server Active Directories with Microsoft Security Bulletin MS17-010.

This security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.

If you have enabled automatic updates, this patch should already have been installed to your Windows Server(s).

After installed to your servers, if you have disabled SMBv1, then re-enable it.
 

Solution

Alternative Secure Authentication variants

To continue using seamless transparent authentication, McAfee Web Gateway offers alternative authentication methods:
  • NTLM Agent
  • McAfee Client Proxy
  • Kerberos

NTLM Agent
With NTLM agent, McAfee Web Gateway communicates with an authentication broker, the NTLM Agent, which needs to be installed on a member server of the domain. MWG will replay the authentication messages to that agent, which then does a system call and lets Windows system validate the credentials. Windows will follow whatever Windows is configured to do and by that the compatibility issue is removed.

For further information and to download the NTLM Agent, see:
https://contentsecurity.mcafee.com/software_mwg7_tools


McAfee Client Proxy (MCP)
McAfee Client Proxy is a software agent that is installed on endpoints. It is fully ePO-managed and integrates with Endpoint Security (ENS) 10.5 through shared components and a bundled install for easy deployment.

MCP will redirect web traffic to MWG and will also authenticate the user against MWG. It reads out the currently logged on user and adds user and group information into the HTTP Header section which is then read by MWG and used for authentication.
MCP is available on all active Windows platforms, including Client and Server, as well as Apple’s mac OS.

For further information and to download the McAfee Client Proxy, see:
https://contentsecurity.mcafee.com/software_mwg7_tools


Kerberos
Kerberos is the default authentication method in most modern Windows environments. It can help to relieve the domain controller because it is based on tickets rather than direct contact with the Domain Controller. Setting up Kerberos is documented in the Expert Center.

Because MWG includes a component where customers can resolve the retrieved SIDs to clear text group names using SMB1,
you must either base your group mapping on SIDs or use LDAPS to request group membership details for an authenticated user.

To use SIDs for policy mapping directly, Windows provides a tool to perform the lookup. Execute the following command on a domain member:
 
dsquery group -name "Administrators" | dsget group –sid

For example:
PS C:\Users\Administrator> dsquery group -name "Administrators" | dsget group -sid
  sid
  S-1-5-32-544
dsget succeeded
 
This enables MWG to perform authentication and policy decisions without the need to open an SMB1 connection to a domain controller.

As an alternative solution, clear text group names for a user can be retrieved using the Authentication.GetUserGroups property after successful Kerberos authentication.
This property requires a valid LDAP configuration for user authentication.
 

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.