topic Re: Activate Identity Awareness in Firewall and Security Management

Activate Identity Awareness

Herman — Sun, 20 Mar 2022 17:11:27 GMT

Hello community,
When I tried activate IA with AD Query, I got error message "User is not a domain administrator as such AD Query will not work".
But I using admin account with right credentials. Environment clusterXL R81.10, windows server 2012 R2.
What can be checked to understand where the problem is?

Re: Activate Identity Awareness

G_W_Albrecht — Sun, 20 Mar 2022 17:57:51 GMT

See sk86441: ATRG: Identity Awareness !

Re: Activate Identity Awareness

Don_Paterson — Wed, 23 Mar 2022 16:34:19 GMT

Have just seen this issue in a lab environment with the same issue (account is Enterprise Administrator etc.).
Installing a different policy fixed it.

Not sure yet what the problem is but at the moment but suspect HTTPS Inspection could be causing it or Application Control or URLF blade. HTTPS Inspection policy was last updated.

Edit: Also R81.10, no JHFA 30 installed yet.

Edit2: Windows Server 2016 Standard

Rgds,

Don

Re: Activate Identity Awareness

the_rock — Wed, 23 Mar 2022 16:36:09 GMT

I saw this once before when I was on site with a customer and we just created another admin account and then it all worked. I really never got a good explanation from TAC why this would happen...

Re: Activate Identity Awareness

Don_Paterson — Wed, 23 Mar 2022 16:43:13 GMT

We tried that and it failed for us. New AD admin and same groups (Enterprise admins etc.) with no luck.#

Re: Activate Identity Awareness

the_rock — Wed, 23 Mar 2022 16:46:23 GMT

Maybe we got lucky that time, not sure, but thats what worked. I could be wrong when I say this, but from what I recall n old days, you never had to use admin account, but maybe that changed in R80 +.

Re: Activate Identity Awareness

Ruan_Kotze — Wed, 23 Mar 2022 17:01:05 GMT

Have seen this happen when the AD domain is configured to only allow NTLMv2.

Check Point recommends using Identity Collector as the identity source instead of AD Query - any chance you can switch to using that? Seems using ADQ will only get more challenging in the future - check out sk176148.

Re: Activate Identity Awareness

Don_Paterson — Wed, 23 Mar 2022 17:02:42 GMT

Good call. That would be my recommendation too,

Re: Activate Identity Awareness

Herman — Wed, 23 Mar 2022 17:07:15 GMT

Hi guys, many thanks for advice.
I catch this issue in my lab environment not production, I don't know what was it, but I reinstall windows server and it was resolve.
Regarding Identity Collector I know, but for some tests needed exactly AD Query.

Re: Activate Identity Awareness

timdude — Sun, 11 Feb 2024 14:24:09 GMT

Just encountered the exact same issue with a fresh Win2022 Server lab installation.

The error messages when trying to connect the AD are quite useful: they tell you if it can't reach the ADC, if the credentials are wrong or if the domain can't be found.

Thus, if you see this "User is not a domain administrator as such AD Query will not work" message, it's most likely not a connection/lack of policies issue.

Also keep in mind that the initial connectivity test is made from the SmartConsole's machine instead of from the GW.

However, in my case after installing all the Windows updates and couple reboots, the connection eventually worked.