https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179887#M5083 <P>Excellent point indeed...I had customer who was hesitant to move to IDC, but once I gave them all the good reasons to and they saw issues with windows updates on their AD server, they finally accepted to move away from AD query and are super content now with identity collector, no issues on 3 months since the change.</P> Wed, 03 May 2023 18:01:18 GMT the_rock 2023-05-03T18:01:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179723#M5076 <P>&nbsp;</P><P>Hello Team,</P><P>We have recently had to rebuild our r77.30 firewall (due to a failed upgrade attempt, SMS is already r81).</P><P>We have connectivity from r77.30 gw to our RSA server but get the following error:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AD Query.JPG" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20731i25A110002D6F5618/image-size/medium?v=v2&amp;px=400" role="button" title="AD Query.JPG" alt="AD Query.JPG" /></span></P><P>&nbsp;</P><P>We have tried several sets of creds which we know to be correct (i.e. admin level) but continue to get this error message.</P><P>Can anyone help please?</P> Tue, 02 May 2023 15:39:43 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179723#M5076 checkpointer 2023-05-02T15:39:43Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179729#M5077 <P>For simplicity, the service account you use with the IDA should be a Domain Admin. It is possible to use a non-Domain Admin account, but then you need to start doing schema updates and changes within your Domain. Not familiar with pointing IDA at a RSA server vs a domain/domain controller.</P> <P>Also do need to point out that R77.30 has been End of Support for a while now. R80.40 is our oldest/supported version with R81.10 being our Recommended version.</P> Tue, 02 May 2023 16:09:25 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179729#M5077 Matt_Ricketts 2023-05-02T16:09:25Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179735#M5078 <P>Put it this way...as&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/559">@Matt_Ricketts</a>&nbsp;said, R77.30 has been unsupported way before Covid-19 I think, but regardless, even if you were on R55 or R81.20 version, you HAVE TO use domain account with full admin privileges to make this work. I spent way too many hours with TAC on the phone going through sk93938 and we could never get that working...ever.</P> <P><A href="https://support.checkpoint.com/results/sk/sk93938" target="_blank" rel="noopener">https://support.checkpoint.com/results/sk/sk93938</A></P> <P>Andy</P> Tue, 02 May 2023 18:13:14 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179735#M5078 the_rock 2023-05-02T18:13:14Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179755#M5079 <P>Thanks Matt, the&nbsp;<SPAN>account we are testing with are both Domain Admin.&nbsp;</SPAN></P> Tue, 02 May 2023 23:00:01 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179755#M5079 checkpointer 2023-05-02T23:00:01Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179756#M5080 <P>Thanks Rock, the&nbsp;<SPAN>accounts we are testing with are domain accounts with full admin privileges.</SPAN></P> Tue, 02 May 2023 23:22:29 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179756#M5080 checkpointer 2023-05-02T23:22:29Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179763#M5081 <P>Windows Server 2016 or 2019? Microsoft changed things within Windows Server 2022 and my IDA wouldn't authenticate anymore. I changed to the Identity Collector at that point. IDC is moving towards being the recommended method going forward too.</P> Tue, 02 May 2023 23:57:18 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179763#M5081 Matt_Ricketts 2023-05-02T23:57:18Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179886#M5082 <P>In response to various security vulnerabilities, Microsoft has made numerous changes to WMI.<BR />This effectively "breaks" ADQuery and we've been recommending people move to Identity Collector for some time.<BR />For details on Identity Collector, see:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk108235" target="_blank">https://support.checkpoint.com/results/sk/sk108235</A><BR />Yes, you can run Identity Collector under R77.30, but it's been End of Support for other three years now.</P> Wed, 03 May 2023 17:55:30 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179886#M5082 PhoneBoy 2023-05-03T17:55:30Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179887#M5083 <P>Excellent point indeed...I had customer who was hesitant to move to IDC, but once I gave them all the good reasons to and they saw issues with windows updates on their AD server, they finally accepted to move away from AD query and are super content now with identity collector, no issues on 3 months since the change.</P> Wed, 03 May 2023 18:01:18 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/AD-query-failing-for-identity-Awareness/m-p/179887#M5083 the_rock 2023-05-03T18:01:18Z