topic Re: Problem with authentification users on Terminal agent MUHv2 in Firewall and Security Management

Problem with authentification users on Terminal agent MUHv2

vonsakfilip — Fri, 13 Jan 2023 08:07:39 GMT

Hi all

I have problem with authentification users on terminal agent. I have windows server 2022 where is installed MUH agent v2. Agent send identities to PDP Gateway. PDP gateway is cluster HA (active/standby). Users and machines are authentificated by kerberos SSO and it works. Identity agent for windows authetificate user and machine by kerberos but terminal agent use authentification trust for users and kerberos for machine. The problem : when node 2 is active everything works (users are authentificated) but when I switch node 1 to active, authentification trust for users doesnt work. Kerberos for machine works but user is not authentificated. Pdp debug log and terminal agent log:

pdp::UserPasswordAuthenticator::DoneFetchAsync: failed to fetch authentication data for ******. Request ID: . external error: 6 external Error Description: An error was detected while trying to authenticate against the AD server.

I also find log from AD and there is login success for user. Connection from terminal agent to PDP GW works (443), terminal agent is connected but user on node 1 is not able authentificate.

PDP gw log: An error was detected while trying to authenticate against the AD server.
It may be a problem of bad configuration or connectivity.
Please refer to the troubleshooting guide for more help

Security GW: R81.10 take 335

Thanks

Re: Problem with authentification users on Terminal agent MUHv2

Vincent_Bacher — Fri, 13 Jan 2023 08:53:22 GMT

In such cases the first and easiest step i always do is to perform a ldapsearch on the cli of the gateway to see if it's able to communicate with the AD server.

Edit: Just enabled pdpd debug on a test pdp device and see that Async messages are shown when the gateway connects to the ldap au (ad server) to fetch the users information (group membership and so on).
To do this, the gateway has to connect to the ldap au and to authenticate and fetch users info.
Maybe anything does not work at this stage.
Maybe i am wrong, it's still too early in the morning for me 🙂

Re: Problem with authentification users on Terminal agent MUHv2

vonsakfilip — Fri, 13 Jan 2023 09:52:46 GMT

I dont see any problem with AD. Both GW are able authentificate machine and users with kerberos on identity agents. I have only problem with node1 in cluster, node2 works fine. Cluster have same configuration a ip address from same subnet. Connection to AD is correct. The problem have only terminal agent on one node of cluster. GW use same account to communicate with AD.

Re: Problem with authentification users on Terminal agent MUHv2

Vincent_Bacher — Fri, 13 Jan 2023 10:24:23 GMT

I had only used this log entry

suspects that there might be a communication problem between the cluster node and the AD server. Since you obviously know better than me, I take it all back and wish you good luck 😉

Re: Problem with authentification users on Terminal agent MUHv2

israelfds95 — Tue, 06 May 2025 22:54:15 GMT

I posted how I solved: https://community.checkpoint.com/t5/General-Topics/SOLVED-Identity-Agent-Terminal-Server-Users-Not-Authenticated/m-p/248279#M41486