https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/197721#M36935 <P>Hi,</P> <P>I do realise that this reply is almost 4 years in the making but this nuance continues to plague us. We managed to work around the issue but have a situation where this work around unfortunately doesn't work.</P> <P>&nbsp;</P> <P>The problem with using Identity Collector is that it exclusively retrieves events from AD servers. We wish to use RADIUS with PacketFence or Aruba ClearPass, integrating with CheckPoint via either RADIUS accounting or Identity Awareness API. In those cases the user identity lands on the gateway, especially when using EAP-TLS which doesn't need to interact with AD at all when validating the validity of the presented certificate.<BR /><BR />Our work around up until now has been to strip the realm from the username before it's sent, CheckPoint submits this to AD for group membership queries and authentication but this causes a problem when a username is longer than 20 characters. In that case AD matches the account against the pre-Windows 2000 username, which is often just the truncated version of the UPN.<BR /><BR /><BR />What is the recommended method by which one can facilitate UPN suffix aliases in Active Directory?</P> <P>&nbsp;</P> <P>Regards</P> <P>David Herselman</P> Fri, 10 Nov 2023 15:47:42 GMT David_Herselman 2023-11-10T15:47:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/79453#M11436 <P>We have Identity Awareness configured and working with AD Query, Captive Portal (including Kerberos SSO), Terminal Services MuH and RADIUS for Enterprise WiFi (Packet Fence).</P><P>We however have problems with user accounts where their Active Directory UPN Suffix was changed as this then no longer matches the domain in the LDAP Account Unit.</P><P>What is the official way to configure additional UPN Suffixes?</P><P>&nbsp;</P><P>What we've done so far:</P><P>Created additional LDAP Account Units, referencing the same AD servers, credentials and LDAP branch as the one for the AD realm but then unset 'User management' and 'AD Query'.</P><P>&nbsp;</P><P>Problem is that RDS (Terminal Services) MuH agent uses Kerberos to identify users and identifies the person as user@upnsuffix2 but then doesn't resolve group memberships.</P><P>&nbsp;</P><P>The account is technically party of the main/original LDAP Account Unit, is there no way to configure UPN suffix aliases?</P><P>&nbsp;</P><P>adlogconfig a gives an option relating to 'add domain' but I'm unable to locate documentation relating to this...</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>David Herselman</P> Tue, 24 Mar 2020 06:17:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/79453#M11436 David_Herselman 2020-03-24T06:17:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/79629#M11437 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/8232">@Royi_Priov</a>&nbsp;any idea?</P> Wed, 25 Mar 2020 04:11:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/79629#M11437 PhoneBoy 2020-03-25T04:11:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/80112#M11438 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/9832">@David_Herselman</a>&nbsp;</P> <P>&nbsp;</P> <P>Generally, I will recommend using Identity Collector and not AD Query</P> <P>You can read about the differences in sk108235.</P> <P>In Identity Collector, you also have "alias" feature to replace domain suffixes easily.</P> <P>&nbsp;</P> <P>I hope it helps!</P> <P>Royi Priov</P> <P>Identity Awareness R&amp;D</P> Sun, 29 Mar 2020 14:35:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/80112#M11438 Royi_Priov 2020-03-29T14:35:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/149801#M24052 <P><SPAN>sk87200</SPAN></P> Tue, 31 May 2022 08:36:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/149801#M24052 gardazishvili 2022-05-31T08:36:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/175863#M32116 <P>This worked for me.<BR />Thank you.</P> Thu, 23 Mar 2023 07:29:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/175863#M32116 Henrik_J 2023-03-23T07:29:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/197721#M36935 <P>Hi,</P> <P>I do realise that this reply is almost 4 years in the making but this nuance continues to plague us. We managed to work around the issue but have a situation where this work around unfortunately doesn't work.</P> <P>&nbsp;</P> <P>The problem with using Identity Collector is that it exclusively retrieves events from AD servers. We wish to use RADIUS with PacketFence or Aruba ClearPass, integrating with CheckPoint via either RADIUS accounting or Identity Awareness API. In those cases the user identity lands on the gateway, especially when using EAP-TLS which doesn't need to interact with AD at all when validating the validity of the presented certificate.<BR /><BR />Our work around up until now has been to strip the realm from the username before it's sent, CheckPoint submits this to AD for group membership queries and authentication but this causes a problem when a username is longer than 20 characters. In that case AD matches the account against the pre-Windows 2000 username, which is often just the truncated version of the UPN.<BR /><BR /><BR />What is the recommended method by which one can facilitate UPN suffix aliases in Active Directory?</P> <P>&nbsp;</P> <P>Regards</P> <P>David Herselman</P> Fri, 10 Nov 2023 15:47:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/AD-UPN-Suffix/m-p/197721#M36935 David_Herselman 2023-11-10T15:47:42Z