- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: NTLM V1 Required by Identity
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NTLM V1 Required by Identity
I don't understand Checkpoint's position on this. There are numerous security flaws with NTLM v1 and in addition to various security scanning tools, Microsoft is strongly advising the retirement of NTLM v1. But Checkpoint identity solution requires it for their identity solution, and specifically requires it be enabled on domain controllers. It is pretty audacious for Checkpoint to say this is not a Checkpoint issue.
Solution
This is not a Check Point issue.
To fix this issue:
Open the Local Group Policy Editor from the DC: Windows key + R.
Type gpedit.msc and click on OK.
Go to Security Settings > Local Policies > Security Options.
Find the key LAN Manager authentication level. If it is set to "NTVLM2 only", change it to LM and NTVLM and V2 if negotiated or Not Defined.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NTLM v2 is supported and can be enabled. By default it’s disabled. See the admin guide for the relevant version for instructions how to enable it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
while i am hoping your response is correct, it make no sense. Why didn't the original checkpoint guidance (posted in the OP) provide the instructions on how to enable NTLMv2 in checkpoint instead of instruct the poster how to downgrade Windows to accept NTLM v1 ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What exactly doesn’t make sense? The fact that Check Point (not checkpoint) supports NTLMv2? What is this post that you refer to? The official resource of information is the admin guide.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you're talking about AD Query, you can enable NTLMv2 as described here: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...
That said, you should probably be using Identity Collector instead.
If this isn't what you're referring to, please provide some additional context.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please see SK 161972 of which I copied the main part into the OP. When we deployed the registry so that the domain controllers would not authenticate NTLM V1, we started seeing the exact behavior from the SK. The SK says this is not a Checkpoint issue and gives the instructions on how to allow the DCs to use NTLM V1 instead of referencing how to enable Checkpoint to use NTLM v2. Perhaps it is just a recent ability to use V2 since the article.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What specifically are you implementing this on?
Because this SK is specific to older SMB appliances, not CloudGuard (where you posted this) and believe it is specific to using AD Query.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are having the exact the issue described in the SK. We are running identity with Identity Collector. We are also using LDAP account units on the the management server. When we disallowed NTLM V1 on the domain controllers and only allowed v2, we started getting the exact behaviour defined in the SK (authentication bad password because the domain controller can no longer authenticate with ntlm v1. The SK said the solution is to go back and allow NTLM v1 on the domain controller which really is not a solution at all.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm... @Royi_Priov can you comment on this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Parauser ,
The feature in question is AD Query, which does support NTLMv2 by default (and can be controled with adlogconfig command).
The solution you have mentioned is relevant to SMB products, and seems to be out of date - I will handle it.
In a general note, NTLMv1 is not mandatory to be used, and we understand the security concerns. Therefore it is not required by ADQ or any other identity source IDA offers.
Royi Priov
R&D Group manager, Infinity Identity