topic Re: Identity Awareness - Identity Collector - Make sure the account exists in the AD in Firewall and Security Management

Identity Awareness - Identity Collector - Make sure the account exists in the AD

JozkoMrkvicka — Sat, 15 Apr 2023 12:54:42 GMT

Hi guys,

I want to test in my home LAB the IDC solution. I didnt work with IA in the past, so asking for a help here 🙂

My goal is to allow connection based on Access Roles for specific users in order to allow them to reach the needed internal resources.

I have R81.10 gateway and MDS with Take 87. Windows Server 2019 is acting like DC and AD. IDC agent is installed on Windows Server. The connection between DC/AD and GW is working, all is green. I have created in AD some test users which are used to log-in to the Windows 7 machine over test domain. So far, all as expected. But once I want to check on Check Point GW if user was recognized as successfully logged to the Windows 7 machine, the firewall logs says that: "Group membership of the required account (user or machine) could not be retrieved from the AD. Make sure the account exists in the AD."

Logs for IA blade:

The same errors are seen for each and every user, doesnt matter if user was already created or created couple of minutes ago.
Looks like some configuration issue on FW which I didnt recognize yet.

There is only 1 Account Unit configured, with following settings:

I checked sk106133, but looks like I didnt find a match there...

Since this is my home LAB, I can do any debugs in order to figure out what is going on.

Anyone who is experienced with IA and IDC specifically, and is able to help me to fix the issue ?

Thanks for the help !

Re: Identity Awareness - Identity Collector - Make sure the account exists in the AD

PhoneBoy — Tue, 18 Apr 2023 22:12:19 GMT

Do you see the gateway try to do LDAP lookups at all (i.e. connections to the LDAP server)?
What does pdp debug on say? (Review $FWDIR/log/pdpd.elg)

Re: Identity Awareness - Identity Collector - Make sure the account exists in the AD

JozkoMrkvicka — Thu, 20 Apr 2023 13:51:42 GMT

connection to LDAP (which is in fact DC) is established over port 389:

Did also tcpdump and connection over 389 is OK.

pdp debugs are attached.

Re: Identity Awareness - Identity Collector - Make sure the account exists in the AD

PhoneBoy — Thu, 20 Apr 2023 22:04:35 GMT

Unfortunately, that doesn't have anything useful.
Maybe try the test_ad_connectivity tool: https://support.checkpoint.com/results/sk/sk100406
Make sure to use that -l (that's a lowercase L) to only perform the LDAP tests as WMI isn't relevant in this case.

Re: Identity Awareness - Identity Collector - Make sure the account exists in the AD

Sorin_Gogean — Fri, 21 Apr 2023 04:03:00 GMT

Hey @JozkoMrkvicka ,

In the 2nd LDAP screenshot, at LDAP Servers, you should have an user defined, and an Login DN as below example. That AD user that I'm using to read, it's a simple user, no specific rights.

Have a look on sk31841 as it might clarify it.

We have no issues with AD users, as the log-in events are learned and CheckPoint GW reads the user/machine groups properly.

Thank you,

Re: Identity Awareness - Identity Collector - Make sure the account exists in the AD

JozkoMrkvicka — Fri, 21 Apr 2023 09:03:30 GMT

Hi @Sorin_Gogean ,

You were right. I left the Login DN blank which is the cause of the issues in my case.

I am using default Administrator user in LAB and forgot to fill "Login DN".

Once "Login DN" was filled and policy pushed, all users are correctly recognized by FW and associated Access Roles are assigned.

Thank you for help !