KB Article | Forcepoint Support

Problem Description

Data Protector in ICAP Server Mode fails to resolve McAfee Web Gateway users and their group membership. The McAfee Web Gateway Server sends the proxies logged on client user details to the Protector ICAP Server via the X-Authenticated-User header field. Policies that are applied to the McAfee Web Gateway proxy user are not enforced by the Protectors ICAP Server.

The PolicyEngine ResourceResolver lookup reports the following error:
"WARN ResourceResolver - Resolver::CompleteUserFormatedString protocol <ntlm> not supported"

With debug logging enabled on the PolicyEngine log for the TransactionMonitor and ResourceResolver Topics, the PolicyEngine.log reports the following:
2018-02-16 10:55:05,483 [0x7fe7406ce700] INFO TransactionMonitor - Engine: Received transaction [598290666067769716].
Service <135466996>;

Operation <0>;DetectedTime 2018-02-16T10:55:05+02:00;

Source <<DataType, Data> <IPAddress, 10.48.192.39> <UserFormatedString, NTLM://mydomain/FirstName.LastName>;; >;

Destinations < Part Type: 23 DIRECTION_OUTBOUND: <DataType, Data> <Hostname, dlptest.com> <URL, http://dlptest.com/http-post/>; *** >;

2018-02-16 10:55:05,483 [0x7fe70c295700] DEBUG ResourceResolver - AddressResolutionProcessor: Resolving Source
2018-02-16 10:55:05,483 [0x7fe70c295700] WARN ResourceResolver - Resolver::CompleteUserFormatedString protocol <ntlm> not supported
2018-02-16 10:55:05,483 [0x7fe70c295700] DEBUG ResourceResolver - Resolver::Resolve No Policy Actors
2018-02-16 10:55:05,483 [0x7fe70c295700] DEBUG ResourceResolver - Resolving <DataType, Data> <IPAddress, 10.48.192.39> <UserFormatedString, NTLM://mydomain/FirstName.LastName>;

Resolution

The Protectors PolicyEngine does not support the 'X-Authenticated-User' header value with a prefix of 'NTLM:'.
For example, 'NTLM://mydomain/FirstName.LastName'.
 
The PolicyEngine expects the 'X-Authenticated-User' header value prefix to be in the format of 'WinNT:'.
For example, 'WinNT://mydomain/FirstName.LastName'.
 
Customers experiencing this issue should contact McAfee support. McAfee will be able to assist with reconfiguring the McAfee Web Gateway so that it will send the 'X-Authenticated-User' in the PolicyEngines supported format of 'WinNT:'.

Article Feedback



Thank you for the feedback and comments.