Identity Agent - Auto Detecting gateway

Maarten_Sjouw — Wed, 15 May 2019 07:56:50 GMT

Below is the situation at one of our customers.

Instructions for installation of identity agent on a computer

During installation (computer - not user) enter the ip address of the Check Point gateway, at the prompt accept the certificate
Export the registry values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA]

"CurrentVersion"="1.0"

"GlobalConfigEnabled"=dword:00000001

"DefaultGateway"="c.d.e.f" <altered>

"DefaultGatewayEnabled"=dword:00000001

"PredefinedPDPConnRBUsed"=dword:00000000

"PTInstDir"="C:\\Program Files\\CheckPoint\\Identity Agent\\"

"CaptivePortalsList"="https://a.b.c.d;https://gateway.domain.com;" <altered>

"ClientDeviceID"="{C3E40EC9-6F84-4006-B5F8-7A00000000029}" <altered>

"IsFirstTimeActivation"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\1.0]

"CurrentSP"="0"

"PKGPATH"="C:\\WINDOWS\\Installer\\1214087.msi"

"PRODDIR"="C:\\Program Files\\CheckPoint\\Identity Agent\\"

"PRODUCT_GUID"="{F419A0AD-95C8-400C-B519-F9800000C4}" <altered>

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\1.0\SP0]

"CurrentMSP"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\1.0\SP0\MSP0]

"PRODUCT_GUID"="{F419A0AD-95C8-400C-B519-F9800000C4}" <altered>

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\Shortcuts]

"Configuration"="1"

"DistrConfiguration"="1"

"IdentityAgent"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\TrustedGateways]

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\TrustedGateways\Gateway VPN Certificate]

"Fingerprint"="xxxx xxxxx xxxx xxxx xxxx"<altered>

"CertificateStatus"=dword:800b0109

Use the custom agent tool to create a custom agent msi-file

Installatiion custom agent on test computer

Update the registry values on test computer
Install custom agent on test computer
Use a standard user account to log-in on test computer

The user should be able to login without a login prompt from the Identity Agent, however we do get the loign prompt from the IA. To cache the credentials the following registry entry has been added:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\CheckPoint\IA\GatewaysData\10.110.101.62\AutomaticAthentication]

"UserAuthMethods"=dword:00000000

Now the first time we still get the login prompt but an added tickbox to allow credential saving, the next logon is automatic and no prompt is showing anymore.

The main question our customer has, can this first prompt also be overridden? My guess is that it cannot be done, but maybe someone has a idea how to do it?

Re: Identity Agent - Auto Detecting gateway

Andreas_Aust — Wed, 15 May 2019 08:59:44 GMT

Hi Martin,

look for "Transparent Kerberos SSO Authentication for Identity Agent" in the Idendity Awareness Administration Guide.

Re: Identity Agent - Auto Detecting gateway

Maarten_Sjouw — Wed, 15 May 2019 12:10:07 GMT

Andreas,
All I can find there is Browser based login. This is not browser based.

Re: Identity Agent - Auto Detecting gateway

Andreas_Aust — Wed, 15 May 2019 12:42:49 GMT

Hi Martin,

Identity Awareness Administration Guide R80.30 Page 157 ff. In Short:

To configure AD for Kerberos:

1. Make a new user account (on page 149).

2. Open the command line (Start > Run > cmd).

3. Run: setspn -A ckp_pdp/<domain_full_dns_name> <username>

To see users associated with the principle name, run: setspn -Q ckp_pdp*/*

When done, configure an Account Unit (on page 150) in the SmartConsole, to use this account.

Best

-a

topic Re: Identity Agent - Auto Detecting gateway in General Topics

Identity Agent - Auto Detecting gateway

Re: Identity Agent - Auto Detecting gateway

Re: Identity Agent - Auto Detecting gateway

Re: Identity Agent - Auto Detecting gateway