Create a Post
Showing results for 
Search instead for 
Did you mean: 

Identity Agent - Auto Detecting gateway

Below is the situation at one of our customers.

Instructions for installation of identity agent on a computer

  1. During installation (computer - not user) enter the ip address of the Check Point gateway, at the prompt accept the certificate
  2. Export the registry values:

Windows Registry Editor Version 5.00




"DefaultGateway"="c.d.e.f" <altered>



"PTInstDir"="C:\\Program Files\\CheckPoint\\Identity Agent\\"

"CaptivePortalsList"="https://a.b.c.d;;" <altered>

"ClientDeviceID"="{C3E40EC9-6F84-4006-B5F8-7A00000000029}" <altered>






"PRODDIR"="C:\\Program Files\\CheckPoint\\Identity Agent\\"

"PRODUCT_GUID"="{F419A0AD-95C8-400C-B519-F9800000C4}" <altered>






"PRODUCT_GUID"="{F419A0AD-95C8-400C-B519-F9800000C4}" <altered>









[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\TrustedGateways\Gateway VPN Certificate]

"Fingerprint"="xxxx xxxxx xxxx xxxx xxxx"<altered>



  1. Use the custom agent tool to create a custom agent msi-file


Installatiion custom agent on test computer


  1. Update the registry values on test computer
  2. Install custom agent on test computer
  3. Use a standard user account to log-in on test computer


The user should be able to login without a login prompt from the Identity Agent, however we do get the loign prompt from the IA. To cache the credentials the following registry entry has been added:


Windows Registry Editor Version 5.00




Now the first time we still get the login prompt but an added tickbox to allow credential saving, the next logon is automatic and no prompt is showing anymore.


The main question our customer has, can this first prompt also be overridden? My guess is that it cannot be done, but maybe someone has a idea how to do it?

Regards, Maarten
3 Replies

Hi Martin,

look for "Transparent Kerberos SSO Authentication for Identity Agent" in the Idendity Awareness Administration Guide.
0 Kudos

All I can find there is Browser based login. This is not browser based.
Regards, Maarten
0 Kudos

Hi Martin,

Identity Awareness Administration Guide R80.30 Page 157 ff. In Short:


To configure AD for Kerberos:

1. Make a new user account (on page 149).

2. Open the command line (Start > Run > cmd).

3. Run: setspn -A ckp_pdp/<domain_full_dns_name> <username>


To see users associated with the principle name, run: setspn -Q ckp_pdp*/*

When done, configure an Account Unit (on page 150) in the SmartConsole, to use this account. 




0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events