This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ghosty
Contributor
‎2026-02-17 08:59 AM
Jump to solution

R82 + Windows Server 2025 – LDAPS Connection Fails

Hi,

In my lab environment I'm running:

  • Check Point R82 – Build 151

  • Distributed deployment

  • Windows Server 2025

  • LDAPS (port 636)

  • AD CS Enterprise Root CA

Working:

  • Port 636 reachable

  • I can browse AD structure in SmartConsole

Failing:

  • Connection attempts fails with:
    “Gateway could not connect to… Credentials are valid, but LDAP communication with the server failed.

I have done the solution steps in sk164834.

On both SMS and Gateway:

cpopenssl s_client -connect DC_FQDN:636

Returns:

Verify return code: 21 (unable to verify the first certificate)

 

Question:

Is anyone able to replicate this behavior on R82 with Windows Server 2025?
Any tips on additional troubleshooting steps would be appreciated.

Thanks.

0 Kudos
1 Solution

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2026-02-19 02:00 AM
In response to ghosty
Jump to solution

Move away from AD query and use IDC instead:

As part of Check Point's response to CVE-2021-26414, "Windows DCOM Server Security Feature Bypass", Check Point recommends to use Identity Collector as the Identity Source instead of AD Query. For more information about Check Point's response to CVE-2021-26414, see sk176148.

In the October 2022 Windows update (KB5018411KB5018419), Microsoft made changes to read privileges that affect AD Query from an Identity Awareness Gateway to a DC. If AD Query is configured for a DC user who is not an admin (see sk93938), AD Query cannot access the DC. For customers with such a configuration, Check Point recommends to use Identity Collector as the Identity Source instead of AD Query. For more information and workaround procedures, see sk180232.

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

37 Replies
the_rock
MVP Diamond
MVP Diamond
‎2026-02-18 06:44 AM
Jump to solution

@Vincent_Bacher 

I believe you may had mentioned in one post you had this windows server 2025 in the lab? Apologies if I am mistaken. I spoke to Casper about this yesterday, but we dont sadly have that image in the lab, so cant set one up to test. Based on remote we did, Im 99.99% sure it is something on that server causing an issue, as we dont even see any drops or traffic even hitting the firewall. We even disabled native windows fw on the server, no joy.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-02-18 09:23 AM
In response to the_rock
Jump to solution

No I just suggested some debugs.

Any news about the issue ?

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-18 09:37 AM
In response to Vincent_Bacher
Jump to solution

Got it, sorry, my bad then. 

@ghosty , here is IA debugs I got from TAC while back.

# cd $FWDIR/log
# rm pdpd.elg.*
# echo "=debug_start=" >> $FWDIR/log/pdpd.elg
(•) To turn pdp debug on:
# adlog a d on
# pdp debug on
# pep debug on
# pdp debug set all all
(•) Replicate the issue
(•) To turn them off:
# adlog a d off
# pdp debug unset all all
# pdp debug off
# pep debug off
# pdp d reset
# pep d unset all all
Collect debug:
$FWDIR/log/pdpd.elg
# tar zcvf pdpd_debugs.tgz pdpd.elg*
# tar zcvf pepd_debugs.tgz pepd.elg*

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-02-18 10:09 AM
In response to the_rock
Jump to solution

consider increasing the debug file size and number of rotations 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-18 10:17 AM
In response to Vincent_Bacher
Jump to solution

Yes, good point, Vince.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2026-02-18 06:52 AM
Jump to solution

Please confirm the Jumbo take applied to the MGMT / gateways and version of IDC if used etc.

CCSM R77/R80/ELITE
0 Kudos
ghosty
Contributor
‎2026-02-18 08:47 AM
In response to Chris_Atkinson
Jump to solution

Just running the base version atm.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-02-18 09:40 AM
In response to ghosty
Jump to solution

Never good idea to run base version without jumbo take. What about IDC? Or you use AD query? Are you able to fetch the fingerprints and branches in the ldap account unit? 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-18 09:42 AM
In response to Lesley
Jump to solution

Not sure if thats even related, but nevertheless, I always install latest jumbo in my lab the day it comes out.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-02-18 10:37 PM
In response to Lesley
Jump to solution

Is this question "Are you able to fetch the fingerprints and branches in the ldap account unit? " answered?
And are the debugs collected?

Asking because in pdpd.elg you can clearly see all details about ldap communication and due to the error message in the starting post i would says pdpd.elg will be helpful to see any hints.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
ghosty
Contributor
‎2026-02-19 01:46 AM
In response to Vincent_Bacher
Jump to solution

Yes, fetch is working.

Debug files are attached.

pepd_debugs.tgz
pdpd_debugs.tgz
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-02-19 04:03 AM
In response to ghosty
Jump to solution

Strange, I don't see any log lines related to any communication to a device inside the logs, neither in pdp nor in pepd logs.
For AD query there should be at least a hostname or IP in the logs. Nothing.
Did you really replicate the issue after turning on the debugs?

Thanks

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
ghosty
Contributor
‎2026-02-19 06:14 AM
In response to Vincent_Bacher
Jump to solution

I did. But I now tried with IDC instead, and it works like a charm, so I'm gonna use that instead.

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-02-19 06:23 AM
In response to ghosty
Jump to solution

Yes, IDC is a valid option 👍

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
(1)
the_rock
MVP Diamond
MVP Diamond
‎2026-02-19 06:26 AM
In response to Vincent_Bacher
Jump to solution

100%, definitely way more preferred one today.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2026-02-19 06:34 AM
In response to the_rock
Jump to solution

But pdp debug analysis ist an interesting use case for a tool 🙂

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
ghosty
Contributor
‎2026-02-19 01:48 AM
In response to Lesley
Jump to solution

I upgraded to take 73. Same issue still, unfortunately.

I'm using AD query.

Fetch works.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-02-19 02:00 AM
In response to ghosty
Jump to solution

Move away from AD query and use IDC instead:

As part of Check Point's response to CVE-2021-26414, "Windows DCOM Server Security Feature Bypass", Check Point recommends to use Identity Collector as the Identity Source instead of AD Query. For more information about Check Point's response to CVE-2021-26414, see sk176148.

In the October 2022 Windows update (KB5018411KB5018419), Microsoft made changes to read privileges that affect AD Query from an Identity Awareness Gateway to a DC. If AD Query is configured for a DC user who is not an admin (see sk93938), AD Query cannot access the DC. For customers with such a configuration, Check Point recommends to use Identity Collector as the Identity Source instead of AD Query. For more information and workaround procedures, see sk180232.

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Diamond
MVP Diamond
‎2026-02-19 03:47 AM
In response to Lesley
Jump to solution

I made it work with AD query though.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-02-19 03:55 AM
In response to the_rock
Jump to solution

It can work of course. But if every document states IDC is the way the go and recommended I would stay away from it. From security point of view but also performance. ADquery loads the gw unnecessarily. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-19 03:58 AM
In response to Lesley
Jump to solution

I totally agree. Just in this context, I would like to make it work for Casper using AD query.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
ghosty
Contributor
‎2026-02-19 06:13 AM
In response to Lesley
Jump to solution

Thanks for this information. I tried with IDC instead, and it works like a charm.

the_rock
MVP Diamond
MVP Diamond
‎2026-02-19 06:14 AM
In response to ghosty
Jump to solution

Glad you got it working!

Best,
Andy
"Have a great day and if its not, change it"
the_rock
MVP Diamond
MVP Diamond
‎2026-02-19 06:22 AM
In response to the_rock
Jump to solution

@ghosty I did want to mention IDC to you, but glad @Lesley brought it up. I figured we could make it work with AD query, but he is 100% right, IDC is way better method these days.

You can read all about it in below post and discussion we had about it back in the day.

https://community.checkpoint.com/t5/Firewall-and-Security-Management/New-IA-Implementation/m-p/18585...

Best,
Andy
"Have a great day and if its not, change it"
the_rock
MVP Diamond
MVP Diamond
‎2026-02-18 06:59 AM
Jump to solution

Well, you are in luck, my friend. I just checked and looks my colleague did upload windows 2025 image, so give me some time, will let you know in 1 hour tops if it works or not.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-18 07:42 AM
In response to the_rock
Jump to solution

@ghosty 

Just set it all up, rebooted, disabled windows fw, exact same issue as you...let me keep working on it and see if I can fix it.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-18 07:52 AM
Jump to solution

I tested with any any allow rule, got exact same issue like you did Casper when we did remote yesterday, so thats how Im 100% sure its windows issue.

Here is what I ran to make it work (found this after 10 mins on Google lol)

netsh advfirewall set allprofiles state off

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
ghosty
Contributor
‎2026-02-18 08:46 AM
In response to the_rock
Jump to solution

This did not solve the issue for me, unfortunately.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-18 08:47 AM
In response to ghosty
Jump to solution

I did reboot after doing it, mind you.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events