cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Endpoint AD Authentication - Server 2016+

From the Endpoint Security Management Server R80.20 Administration Guide there's a process to get AD ready for kerberos authentication which looks like:

Running this on Server 2016 doesn't work as the command errors out with the following:

Targeting domain controller: domaincontroller.domain.com
Failed to retrieve values for property ?????????: 0x10.
Failed to set property 'servicePrincipalName' to 'cpepauthsrv/domain.com' on Dn 'CN=Check Point Endpoint Authentication,OU=Service Accounts,DC=domain,DC=com': 0x32.
WARNING: Unable to set SPN mapping data.
If cpepauth already has an SPN mapping installed for cpepauthsrv/domain.com, this is no cause for concern.
Failed to retrieve user info for cpepauth: 0x5.
Aborted.

What needs changing in order to make this work on Server 2016?

TIA

Tags (1)
0 Kudos
8 Replies
Admin
Admin

Re: Endpoint AD Authentication - Server 2016+

Best to open a TAC case on this.

How To Open a Case with TAC and/or Account Services

Re: Endpoint AD Authentication - Server 2016+

Cheers Dameon.  SR raised.

0 Kudos
Highlighted
Employee+
Employee+

Re: Endpoint AD Authentication - Server 2016+

As KTPASS is a Microsoft tool, I strongly suggest consulting with Microsoft support regarding this matter.

0 Kudos

Re: Endpoint AD Authentication - Server 2016+

Then again, considering that Endpoint apparently needs this to be working, it's certainly an idea for this issue to be flagged up in this community so that we can share the solution, isn't it?  Fobbing it off as "a Microsoft issue" doesn't really cure the problem or help anyone else who has the same problem...

0 Kudos

Re: Endpoint AD Authentication - Server 2016+

To add further clarification, it looks like Server 2016 needs more parameters than detailed in the Admin Guide so knowing what they need to be might be helpful...

0 Kudos
Employee+
Employee+

Re: Endpoint AD Authentication - Server 2016+

My point was to get details from Microsoft as it can be much faster for the direct customer.

We will contact the development team for clarifications regarding this matter too.

0 Kudos

Re: Endpoint AD Authentication - Server 2016+

No problem.

I do think there's a simple solution, though.  I've added this on to the sk but it seems that UAC could be causing the problem on Server 2016.  Running the following command:

   ktpass /princ cpepauthsrv/cpepauth.domain.com@DOMAIN.COM /mapuser cpepauth@DOMAIN.COM /pass C00l!Password /out cpepauth.keytab

under a command prompt which had been executed with the option "Run as Administrator" generated the following output:

Targeting domain controller: Dc1.domain.com
Successfully mapped cpepauthsrv/cpepauth.domain.com to cpepauth.
Password successfully set!
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to cpepauth.keytab:
Keytab version: 0x502
keysize 85 cpepauthsrv/cpepauth.domain.com@DOMAIN.COM ptype 0 (KRB5_NT_UNKNOWN) vno 4 etype 0x17 (RC4-HMAC) keylength 16 (0x95352e2ef03ebd4a5de4c2a922432bc1)

which follows the output of the Admin Guide more closely.

Note that the switch format in the command with the preceding '/' was taken from a Microsoft TechNet article.

0 Kudos
Employee+
Employee+

Re: Endpoint AD Authentication - Server 2016+

First of all, thank you for your time to check this.

The found changes in command and requirement to use elevated command prompt looks legit to us.

We checked with the development team regarding this - and they have confirmed that after applying the above changes, authentication should work properly.

Warning from the output of the ktpass command should be ignored.

0 Kudos