topic Re: Identity Awareness and AD in Firewall and Security Management

Identity Awareness and AD

Moudar — Fri, 17 Nov 2023 07:43:15 GMT

I am trying the Identity Awareness blade in my lab. when activating the Identity Awareness blade it says "Domain administrator credentials are required"

The AD account I am using to do that is a domain administrator, but even though i get this: "Standard user cerdentials"!

These are the groups that the AD account is member of:

What do I miss here?

Re: Identity Awareness and AD

Moudar — Mon, 20 Nov 2023 07:35:40 GMT

I wonder why no one is looking at my problem!!

Re: Identity Awareness and AD

ikafka — Mon, 20 Nov 2023 07:54:32 GMT

Hi @Moudar

Maybe you can check this page.

Identity Awernes Admin Guide

"Important - For AD Query you must enter domain administrator credentials. For Browser-Based Authentication standard credentials are sufficient."

Re: Identity Awareness and AD

Chris_Atkinson — Mon, 20 Nov 2023 12:19:47 GMT

Which Version/Jumbo & SmartConsole build is used in this environment?

Have you already performed troubleshooting such as sk91040?

Note Identity Collector (rather than ADquery) is the current recommended method for integrating AD with Identity Awareness.

Re: Identity Awareness and AD

Moudar — Mon, 20 Nov 2023 13:31:16 GMT

I am using this version:

show version all Product version Check Point Gaia R81.20 OS build 631 OS kernel version 3.10.0-1160.15.2cpx86_64 OS edition 64-bit

when I run: "adlog a dc" I get this:

[Expert@A-GW-01:0]# adlog a dc Domain controllers: Domain Name IP Address Events (last hour) Connection state ============================================================================================================ a-ldap.a-ldap.lab 192.168.11.101 0 connection had internal error [ntstatus = 0x80010111] Ignored domain controllers on this gateway: No ignored domain controllers found.

I am 100% sure that the user is domain admin and the password is right!!

Re: Identity Awareness and AD

PhoneBoy — Mon, 20 Nov 2023 21:53:12 GMT

Pretty sure this is expected behavior in modern environments.
See: https://support.checkpoint.com/results/sk/sk91462
Specifically, if NTMLv2 is enabled (which is the default) this wizard will fail.

Re: Identity Awareness and AD

Moudar — Tue, 21 Nov 2023 08:30:07 GMT

adlogconfig a - No configuration exists [ ] Override configuration [ ] Enable Adlog [ ] Enable log for login or logoff [ ] Use log original creation time Association timeout : 0 Full Name Query Interval (days, 0=disabled) : 0 Full Name Fetch Hour : 0 Multi-user host Detection Threshold: 7 Revoked user timeout interval : 14400 [X] Enable Multi-User Host persistence DB Multi-User Host persistence machine timeout (minutes): 2592000 Service Account Detection Threshold: 10 [ ] Automatically Exclude Service Accounts [ ] Override default communication parameters Query Within count : 0 Query Max returned objects in each iteration: 0 [X] Disable password expiration check [ ] Authentication mode [ ] Use NTLMv1 [X] Use NTLMv2 [ ] Single User Assumption [ ] Don't report machines [X] LDAP groups update notifications Notifications accumulation time : 10 (sec) [X] Notify only user-related LDAP changes [ ] Prefer IPv6 DC addresses [1] WMI query Type

As you can see NTLMv2 is enabled.

I will follow sk91462 and come back with results

Re: Identity Awareness and AD

Moudar — Tue, 21 Nov 2023 10:54:14 GMT

adlogconfig a [ ] Override configuration [ ] Enable Adlog [ ] Enable log for login or logoff [ ] Use log original creation time Association timeout : 0 Full Name Query Interval (days, 0=disabled) : 0 Full Name Fetch Hour : 0 ------------------- Domain name : A-LDAP.lab Username : moudar Domain Controllers : A-LDAP.A-LDAP.lab ------------------- Multi-user host Detection Threshold: 7 Revoked user timeout interval : 14400 [X] Enable Multi-User Host persistence DB Multi-User Host persistence machine timeout (minutes): 2592000 Service Account Detection Threshold: 10 [ ] Automatically Exclude Service Accounts [ ] Override default communication parameters Query Within count : 0 Query Max returned objects in each iteration: 0 [X] Disable password expiration check [ ] Authentication mode [X] Use NTLMv1 [ ] Use NTLMv2 [ ] Single User Assumption [ ] Don't report machines [X] LDAP groups update notifications Notifications accumulation time : 10 (sec) [X] Notify only user-related LDAP changes [ ] Prefer IPv6 DC addresses [1] WMI query Type

adlogconfig a -test A-LDAP.lab Testing A-LDAP.A-LDAP.lab: Internal Error

Now I am using NTLMv1 but still have problem with Identity Awareness Configuration wizard:

Re: Identity Awareness and AD

PhoneBoy — Tue, 21 Nov 2023 15:04:46 GMT

I don’t believe the wizard supports LDAPS either, which I assume modern AD servers require.
However the wizard is not required to configure Identity Awareness.

Re: Identity Awareness and AD

Moudar — Tue, 21 Nov 2023 15:09:31 GMT

I became sick of trying to use AD query.

Now I am using Identity collector and it is running well. But I needed to follow sk113021 to make it connect to the VIP.

Re: Identity Awareness and AD

cassiomaciel — Tue, 21 Nov 2023 16:03:10 GMT

Hi,

Did you try to use command test_ad_ connectivity from gateway?

I suggest to review or create the domain object directly.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/CLI/test-ad-connectivity.htm

Re: Identity Awareness and AD

Don_Paterson — Tue, 05 Dec 2023 16:37:31 GMT

Hi Chris,
Is that recommended (or Best Practice maybe) documented anywhere, so that you can share a link or SK?

I agree with you but want to see if R&D have documented it anywhere.

Don