cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Highlighted

Identity Agent - Auto Detecting gateway

Below is the situation at one of our customers.

Instructions for installation of identity agent on a computer

  1. During installation (computer - not user) enter the ip address of the Check Point gateway, at the prompt accept the certificate
  2. Export the registry values:

Windows Registry Editor Version 5.00

 [HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA]

"CurrentVersion"="1.0"

"GlobalConfigEnabled"=dword:00000001

"DefaultGateway"="c.d.e.f" <altered>

"DefaultGatewayEnabled"=dword:00000001

"PredefinedPDPConnRBUsed"=dword:00000000

"PTInstDir"="C:\\Program Files\\CheckPoint\\Identity Agent\\"

"CaptivePortalsList"="https://a.b.c.d;https://gateway.domain.com;" <altered>

"ClientDeviceID"="{C3E40EC9-6F84-4006-B5F8-7A00000000029}" <altered>

"IsFirstTimeActivation"=dword:00000000

 

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\1.0]

"CurrentSP"="0"

"PKGPATH"="C:\\WINDOWS\\Installer\\1214087.msi"

"PRODDIR"="C:\\Program Files\\CheckPoint\\Identity Agent\\"

"PRODUCT_GUID"="{F419A0AD-95C8-400C-B519-F9800000C4}" <altered>

 

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\1.0\SP0]

"CurrentMSP"="0"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\1.0\SP0\MSP0]

"PRODUCT_GUID"="{F419A0AD-95C8-400C-B519-F9800000C4}" <altered>

 

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\Shortcuts]

"Configuration"="1"

"DistrConfiguration"="1"

"IdentityAgent"="1"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\TrustedGateways]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\TrustedGateways\Gateway VPN Certificate]

"Fingerprint"="xxxx xxxxx xxxx xxxx xxxx"<altered>

"CertificateStatus"=dword:800b0109

 

  1. Use the custom agent tool to create a custom agent msi-file

 

Installatiion custom agent on test computer

 

  1. Update the registry values on test computer
  2. Install custom agent on test computer
  3. Use a standard user account to log-in on test computer

 

The user should be able to login without a login prompt from the Identity Agent, however we do get the loign prompt from the IA. To cache the credentials the following registry entry has been added:

 

Windows Registry Editor Version 5.00

 

[HKEY_CURRENT_USER\Software\CheckPoint\IA\GatewaysData\10.110.101.62\AutomaticAthentication]

"UserAuthMethods"=dword:00000000

Now the first time we still get the login prompt but an added tickbox to allow credential saving, the next logon is automatic and no prompt is showing anymore.

 

The main question our customer has, can this first prompt also be overridden? My guess is that it cannot be done, but maybe someone has a idea how to do it?

Regards, Maarten
3 Replies

Re: Identity Agent - Auto Detecting gateway

Hi Martin,

look for "Transparent Kerberos SSO Authentication for Identity Agent" in the Idendity Awareness Administration Guide.
0 Kudos

Re: Identity Agent - Auto Detecting gateway

Andreas,
All I can find there is Browser based login. This is not browser based.
Regards, Maarten
0 Kudos

Re: Identity Agent - Auto Detecting gateway

Hi Martin,

Identity Awareness Administration Guide R80.30 Page 157 ff. In Short:

 

To configure AD for Kerberos:

1. Make a new user account (on page 149).

2. Open the command line (Start > Run > cmd).

3. Run: setspn -A ckp_pdp/<domain_full_dns_name> <username>

 

To see users associated with the principle name, run: setspn -Q ckp_pdp*/*

When done, configure an Account Unit (on page 150) in the SmartConsole, to use this account. 

 

Best

-a

0 Kudos