topic Re: ID Agent automatic login in Firewall and Security Management

ID Agent automatic login

FredrikV — Wed, 16 Mar 2022 14:53:14 GMT

Hi,

We have about 12k users in a single Active Directory domain. Identity Awareness is under implementation, and we need to get the ID agent to automatically pick up the logged in users. In another words, no manual input of credentials after logging into Windows.

I read about the Transparent Kerberos Authentication, and also the SSO feature of the LDAP account unit which requires a SPN to be configured in the AD.

Are those things what I'm looking for to to achive this? I'm not a Microsoft expert so any tips and suggestions are welcome.

Thanks

Regards, Fredrik

Re: ID Agent automatic login

_Val_ — Wed, 16 Mar 2022 15:00:40 GMT

Did you look into sk88520?

Re: ID Agent automatic login

FredrikV — Wed, 16 Mar 2022 15:24:32 GMT

Briefly in the past. We first built the solution with ID collector, but that didn't work in the end with the customers requirements.

We are now using Identity Broker pairs in both access and aggregation layers in conjunction with DNS loadbalancing to be able to handle the masses and maintain scalability. The design is developed and approved by CP SEs and RnD.

I don't think that sk88520 is mentioning anything about transparent login for ID agent.

Re: ID Agent automatic login

Tobias_Moritz — Mon, 21 Mar 2022 09:55:31 GMT

Yes, "Transparent Kerberos Authentication, and also the SSO feature of the LDAP account unit which requires a SPN to be configured in the AD" are exactly the things you have to look at.

We are using it that way and it works like a charm for many years now.

Unfortunatly Windows only, because Identity Agent for MacOS has no Kerberos support and Check Point does not provide an Identity Agent for Linux at all.

If Windows-only is a problem for you: We are currently developing our own Identity Agent for Linux with Kerberos support, let it connect to our own Identity Server for all the session handling which then updates Check Points Gateway (pdpd) using its official Identity Web API. Maybe we should even port it to MacOS, because of the missing Kerberos support in the original client.

Re: ID Agent automatic login

FredrikV — Mon, 21 Mar 2022 13:13:48 GMT

Thank you Tobias! Awesome that you took your time to reply.

We are aware that the solution currently is very Microsoft focused, but that limitation seems to be ok considering the end users are on Windows computers for the most part anyway. For Linux the firewalling will be based on IP addresses only.

Great news though that you are looking to expand the functionality over several platforms!

One last question. I'm not sure we are using captive portal for anything right now. Does that means we don't need the HTTP/HTTPS based "Kerberos Transparent Authentication" specifically? And can rely only on the SSO service account with SPN configured? I would like to better understand the difference here.

Regards, Fredrik

Re: ID Agent automatic login

Tobias_Moritz — Mon, 21 Mar 2022 16:36:34 GMT

Just to make sure you did not misunderstand me: I am not working for Check Point. The software we are developing to extend Check Point Identity Awareness agent approach to other client platforms is not approved or supported by Check Point at all. We are just a Check Point customer, who uses the official available and documented Check Point API.

To your question: When you are not using captive portal, then setting one single service principle name (ckp_pdp/domain) for the AD account specified in LDAP account unit "Active Directory SSO configuration" is enough. Just take care of the ticket encryption method. Based on your Check Point version, there are different ways to set it to modern crypto. See sk111945 or Identity Awareness Admin Guide for your version.

Re: ID Agent automatic login

FredrikV — Tue, 22 Mar 2022 07:47:43 GMT

Sure, I thought so already, but it's great that you are able to extend functionality based on native APIs. Maybe Check Point one day can adopt your solution and offer the agent for a wide range of supported platforms.

Anyway, I got it to work yesterday after some collaboration with the Active Directory guys. As you mentioned, the encryption had to be adjusted after getting a "General Kerberos Error" in the agent log. After a short review of the cached TGTs on the Windows computer (with the klist command) it was obviously a crypto mismatch.

Thank you very much for your explanations!