NTLM V1 Required by Identity
I don't understand Checkpoint's position on this. There are numerous security flaws with NTLM v1 and in addition to various security scanning tools, Microsoft is strongly advising the retirement of NTLM v1. But Checkpoint identity solution requires it for their identity solution, and specifically requires it be enabled on domain controllers. It is pretty audacious for Checkpoint to say this is not a Checkpoint issue.
This is not a Check Point issue.
To fix this issue:
Open the Local Group Policy Editor from the DC: Windows key + R.
Type gpedit.msc and click on OK.
Go to Security Settings > Local Policies > Security Options.
Find the key LAN Manager authentication level. If it is set to "NTVLM2 only", change it to LM and NTVLM and V2 if negotiated or Not Defined.
while i am hoping your response is correct, it make no sense. Why didn't the original checkpoint guidance (posted in the OP) provide the instructions on how to enable NTLMv2 in checkpoint instead of instruct the poster how to downgrade Windows to accept NTLM v1 ?
What exactly doesn’t make sense? The fact that Check Point (not checkpoint) supports NTLMv2? What is this post that you refer to? The official resource of information is the admin guide.
Assuming you're talking about AD Query, you can enable NTLMv2 as described here: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...
That said, you should probably be using Identity Collector instead.
If this isn't what you're referring to, please provide some additional context.
Please see SK 161972 of which I copied the main part into the OP. When we deployed the registry so that the domain controllers would not authenticate NTLM V1, we started seeing the exact behavior from the SK. The SK says this is not a Checkpoint issue and gives the instructions on how to allow the DCs to use NTLM V1 instead of referencing how to enable Checkpoint to use NTLM v2. Perhaps it is just a recent ability to use V2 since the article.
What specifically are you implementing this on?
Because this SK is specific to older SMB appliances, not CloudGuard (where you posted this) and believe it is specific to using AD Query.
We are having the exact the issue described in the SK. We are running identity with Identity Collector. We are also using LDAP account units on the the management server. When we disallowed NTLM V1 on the domain controllers and only allowed v2, we started getting the exact behaviour defined in the SK (authentication bad password because the domain controller can no longer authenticate with ntlm v1. The SK said the solution is to go back and allow NTLM v1 on the domain controller which really is not a solution at all.
Hi @Parauser ,
The feature in question is AD Query, which does support NTLMv2 by default (and can be controled with adlogconfig command).
The solution you have mentioned is relevant to SMB products, and seems to be out of date - I will handle it.
In a general note, NTLMv1 is not mandatory to be used, and we understand the security concerns. Therefore it is not required by ADQ or any other identity source IDA offers.
Group manager, Identity Awareness R&D