topic Re: dentity Collector (Active Directory) - Identity Propagation Failed Login in Firewall and Security Management

dentity Collector (Active Directory) - Identity Propagation Failed Login

johnyb — Mon, 23 May 2022 05:03:09 GMT

Dear All,

i discovered a few days that the majority of the Identity Awareness events from "Identity Collector (Active Directory)"

are followed by Authentication Status "Failed Login".

Any clues what might is wrong?

MAny Thanks,

Re: dentity Collector (Active Directory) - Identity Propagation Failed Login

Sorin_Gogean — Mon, 23 May 2022 07:38:01 GMT

Hey,

First, blur your LogServerOrigin - if it matters or not.

Now, do you get the error on the "Failed Log In" or on any identity records ?!?!?!?!

We had that in the past, and all we did was to drop the SSL HASH from the LDAP objects.

That happened because AD Team changed certificates on their servers... so it will fail since the fingerprint/hash doesn't match anymore .

(see the sk156853 and you will get it, JUST!!!!! leave the Fingerprint empty !!!!! )

This is how an "Failed Log In" looks for us - as you can see the machine was identified properly in AD and mapped to AD groups.

Re: dentity Collector (Active Directory) - Identity Propagation Failed Login

Sorin_Gogean — Mon, 23 May 2022 07:40:04 GMT

PS:

See this (Check-Point-LDAPS-connection-breaks-everytime-AD-certificate-is) and others similar - just search LDAPs in the CheckMates Forum.

Re: dentity Collector (Active Directory) - Identity Propagation Failed Login

johnyb — Tue, 24 May 2022 08:22:22 GMT

What about this error message from the windows event log :

The server-side authentication level policy does not allow the user AAAAAA SID (S-1-5-21-000000000000) from address XX.XX.XX.XX to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

The above belongs to Management server trying to access the domain controller.

Re: dentity Collector (Active Directory) - Identity Propagation Failed Login

Sorin_Gogean — Tue, 24 May 2022 20:21:18 GMT

There are a ton of writings out-there in regards to the error you presented.

Seems more like an AD issue or account rights or a protocol change in the communication - didn't dig up too much.

Tnx,

PS: have you cleared the AD server SSL HASH from the LDAP objects ?

Re: dentity Collector (Active Directory) - Identity Propagation Failed Login

johnyb — Wed, 25 May 2022 02:14:04 GMT

no not yet i will have to raise a TAC.

Re: dentity Collector (Active Directory) - Identity Propagation Failed Login

Sorin_Gogean — Wed, 25 May 2022 08:41:58 GMT

Is that required for a change in your environment, or you referred to TAC as CheckPoint TAC ?

You see in your logs some AD group retrieval errors and like we've seen it in the past, one of the problems was the fact that the SSL certificate was changed on AD servers, was changed.

In order to overcome that, all you have to do is to drop the Fingerprint from the LDAP objects, so they will not fail if the SSL cert changes in the future.

Thank you,