topic Re: Question about autentichation VPN in General Topics

Question about autentichation VPN

RemoteUser — Tue, 03 Mar 2026 14:23:35 GMT

Hi mates,

I have a question: is it possible to configure a VPN gateway so that it authenticates users based on PN (Principal Name) instead of DN (Distinguished Name)?

If so, could you please advise how this can be configured?

Thanks in advance.

Re: Question about autentichation VPN

simonemantovani — Tue, 03 Mar 2026 14:58:50 GMT

Hello

did you try to look to the Multiple Login options within the authetication sectioni in VPN clients configuration for the gatreway?

You should be able to authenticate users through UPN, check it if it could solve your problem.

Re: Question about autentichation VPN

RemoteUser — Tue, 03 Mar 2026 15:17:14 GMT

From here right?

Re: Question about autentichation VPN

Martijn — Tue, 03 Mar 2026 15:22:16 GMT

Hi,

Go to VPN Clients -> Authentication.

Add or Edit the Multiple Login Options. 'Username Password' might be there already.
Edit 'Username Password' and select 'User Directories' in the left pane.

Below you can select the 'Common Lookup Type' and set this to UPN.

Martijn

Re: Question about autentichation VPN

RemoteUser — Tue, 03 Mar 2026 15:30:01 GMT

What is the difference between logion options and user directories?
If i'm select Login Option and Edit the personal ertificate it's not the same thing? Or are two different things?

Re: Question about autentichation VPN

simonemantovani — Tue, 03 Mar 2026 15:33:46 GMT

It depends on how you want authenticate the user; in case of user directories the user is authenticated to an external authentication server; personal certificate means that you're trying to authenticate using a certificate.

In your case, what is the scenario?

Re: Question about autentichation VPN

RemoteUser — Tue, 03 Mar 2026 15:35:27 GMT

in my case is that the users coonect using CAPI certificate

Re: Question about autentichation VPN

Martijn — Tue, 03 Mar 2026 15:39:30 GMT

Hi,

The Login Option is what kind of authentication is supported. Personal Certificate, Username and Password or Dynamic ID.
And in which order they must be placed.

So Username and Password can be the first login option, followed by Dynamic ID.

In User Directories, you configure what to look for when a user logs in. SAM Account name, DN or UPN.

Martijn

Re: Question about autentichation VPN

RemoteUser — Tue, 03 Mar 2026 15:41:38 GMT

So if i want to change the login option from DN to UPN i must do that under User Directories and not Login Option?
Right?

Re: Question about autentichation VPN

Martijn — Tue, 03 Mar 2026 16:01:42 GMT

Yes, that's where I would start.

Re: Question about autentichation VPN

RemoteUser — Wed, 04 Mar 2026 19:39:29 GMT

Hi @Martijn
Just for your information, I reviewed the documentation:

It explains that when selecting Personal Certificate as a login option, you can configure what information the Security Gateway sends to the LDAP server to parse the certificate. By default, it uses the DN, but it can also be configured to use the user’s email address or serial number instead.

The documented steps are:

In the Multiple Authentication Clients Settings table on the Authentication page, select a Personal_Certificate entry and click Edit.
In the Authentication Settings section, under Fetch Username from, select the information the Security Gateway should use to parse the certificate.
Click OK.
Install the policy.

There is no mention of changes required in the user directories. Make sense?

Re: Question about autentichation VPN

simonemantovani — Thu, 05 Mar 2026 08:07:08 GMT

Because, probably, it uses the default configuration in "user directories" that is Automatic Configuration (instead of selecting precisely which type of user directory to use).

In any case make sense, in case you could select Manual Configuration and select the LDAP users option, and also select the right LDAP Lookup Type (and for example select Email Address, that usually is the same as UPN).

Re: Question about autentichation VPN

the_rock — Thu, 05 Mar 2026 17:12:15 GMT

Hey brother,

Were you able to sort this out?

Re: Question about autentichation VPN

RemoteUser — Thu, 05 Mar 2026 18:47:10 GMT

Hi Andy,

How are you?

To be honest, I’m even more confused now. I reached out to TAC and they gave me a completely different answer, which is the following: (OpenOptional - UPN with Machine Certificate)
https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/Machine-Certificate.htm

Re: Question about autentichation VPN

the_rock — Thu, 05 Mar 2026 20:20:32 GMT

Im good! How are you?

But wait, you dont want to do certificate auth, do you?

Re: Question about autentichation VPN

RemoteUser — Thu, 05 Mar 2026 20:31:33 GMT

i'm fine andy thank you.
let me explain:

AUTHENTICATION in our case takes place in two ways: either through MFA or through CAPI certificate authentication.

However, in this specific case, we want the Gateway to perform the user validation based on the UPN (User Principal Name) instead of the DN (Distinguished Name) when using CAPI certificate authentication.

Re: Question about autentichation VPN

the_rock — Thu, 05 Mar 2026 20:43:09 GMT

Ah, I get it now! So what TAC sent seems right, but I could not see in that link exact method you want to implement. Let me do some more research and see what I can find for you.

Re: Question about autentichation VPN

RemoteUser — Thu, 05 Mar 2026 20:44:37 GMT

in the link that i sent tac told me it's point 6

Re: Question about autentichation VPN

the_rock — Thu, 05 Mar 2026 20:46:25 GMT

Got it! I just ran this through AI and below is what it gave me:

***************************************************************

Method: Configure UPN Mapping in the Certificate

1. Ensure the certificate contains the UPN

The user certificate must include the UPN in the Subject Alternative Name (SAN) field.

Typical format:

Subject Alternative Name:
 Other Name: UPN=user@domain.com

If the certificate does not contain this, the gateway cannot map it.

2. Configure the Identity Source to Use UPN

In SmartConsole:

Go to
Gateway → Identity Awareness
Under Authentication Methods, open the settings for Certificate (CAPI).
Configure User Name Extraction to use:

Subject Alternative Name → UPN

instead of:

Subject DN

3. Ensure AD Identity Source Supports UPN Lookup

Your Active Directory identity source must allow lookup by userPrincipalName.

This normally works automatically if the AD query account is configured.

4. Optional: Configure LDAP Mapping

If the gateway still attempts DN matching, verify the LDAP attribute mapping:

userPrincipalName

instead of:

distinguishedName

How the Flow Works After the Change

User connects to the gateway.
Client presents certificate.
Gateway extracts:

UPN = user@domain.com

Gateway queries AD:

(userPrincipalName=user@domain.com)

Identity Awareness maps the user successfully.

Quick Verification

On the gateway CLI you can check identities with:

pdp monitor all

pep show user all

This will show whether the username is being mapped as UPN or DN.

💡 Important:
Many issues occur because the certificate contains the UPN in SAN but the gateway still reads the Subject DN, so confirming the SAN extraction setting is key.

✅ If you'd like, I can also show you:

the exact SmartConsole menu path and screenshots for this setting
the Check Point sk article references that explain the UPN certificate mapping (these are not very obvious in the documentation).

yes please

Great — I’ll show you what it looks like in the GUI and the relevant Check Point documentation references so you can verify the configuration.

1. SmartConsole Configuration (UPN instead of DN)

In Check Point SmartConsole, the setting is under the gateway’s Remote Access / Identity configuration.

Path

Gateway Object
 → Remote Access VPN
 → Authentication
 → Login Options (Realm)

Inside the Login Option / Realm used for certificate authentication:

Certificate Username Extraction

Set:

Fetch username from:
 Subject Alternative Name → UPN

Instead of:

Subject DN

LDAP Lookup Type

Under User Directories in the same Login Option:

Common Name Lookup Type:
 User-Principal-Name (UPN)

instead of:

Distinguished Name

2. What the Certificate Must Contain

The certificate must include UPN in the SAN field.

Example:

Subject:
 CN = John Doe

Subject Alternative Name:
 Other Name: Principal Name = john.doe@company.com

Authentication flow becomes:

Certificate → extract UPN from SAN
UPN = john.doe@company.com

LDAP query:
(userPrincipalName=john.doe@company.com)

UPN-based mapping relies on the SAN field, which is the standard way to map certificates to AD users.

3. Known Behavior / Gotcha in Check Point

There is a common issue where Identity Awareness / PDP still uses the default realm, ignoring custom parsing rules.

This happens when:

Login Option parsing rules were changed
But the PDP still references the default "vpn" realm

This behavior is documented in Check Point bug tracking related to certificate parsing rules for UPN extraction.

In those cases:

The gateway extracts the UPN
But LDAP lookup still happens using DN

4. Debug Commands (Very Useful)

On the Check Point Gaia OS gateway:

See extracted identity

pdp monitor all

Show authenticated users

pep show user all

Identity awareness debugging

pdp debug on

Logs appear in:

/var/log/pdp/

Look for lines like:

Extracted username from certificate: user@domain.com
LDAP lookup attribute: userPrincipalName

5. SK Articles Worth Checking

These are the most relevant Check Point Software Technologies knowledge articles for this topic:

sk61060 – Certificate authentication with LDAP
sk172319 – Identity Awareness certificate authentication troubleshooting
sk174084 – Realm parsing rules ignored for certificate authentication
sk113410 – VPN certificate authentication with LDAP

6. Quick Troubleshooting Checklist

If UPN mapping fails, check:

✔ Certificate SAN contains UPN
✔ Login Option extracts SAN → UPN
✔ LDAP lookup type = userPrincipalName
✔ Correct Login Option / Realm used by gateway
✔ AD user attribute userPrincipalName matches certificate