Identity Agent - Auto Detecting gateway

Maarten_Sjouw · ‎2019-05-15

Below is the situation at one of our customers.

Instructions for installation of identity agent on a computer

During installation (computer - not user) enter the ip address of the Check Point gateway, at the prompt accept the certificate
Export the registry values:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA]

"CurrentVersion"="1.0"

"GlobalConfigEnabled"=dword:00000001

"DefaultGateway"="c.d.e.f" <altered>

"DefaultGatewayEnabled"=dword:00000001

"PredefinedPDPConnRBUsed"=dword:00000000

"PTInstDir"="C:\\Program Files\\CheckPoint\\Identity Agent\\"

"CaptivePortalsList"="https://a.b.c.d;https://gateway.domain.com;" <altered>

"ClientDeviceID"="{C3E40EC9-6F84-4006-B5F8-7A00000000029}" <altered>

"IsFirstTimeActivation"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\1.0]

"CurrentSP"="0"

"PKGPATH"="C:\\WINDOWS\\Installer\\1214087.msi"

"PRODDIR"="C:\\Program Files\\CheckPoint\\Identity Agent\\"

"PRODUCT_GUID"="{F419A0AD-95C8-400C-B519-F9800000C4}" <altered>

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\1.0\SP0]

"CurrentMSP"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\1.0\SP0\MSP0]

"PRODUCT_GUID"="{F419A0AD-95C8-400C-B519-F9800000C4}" <altered>

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\Shortcuts]

"Configuration"="1"

"DistrConfiguration"="1"

"IdentityAgent"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\TrustedGateways]

[HKEY_LOCAL_MACHINE\SOFTWARE\CheckPoint\IA\TrustedGateways\Gateway VPN Certificate]

"Fingerprint"="xxxx xxxxx xxxx xxxx xxxx"<altered>

"CertificateStatus"=dword:800b0109

Use the custom agent tool to create a custom agent msi-file

Installatiion custom agent on test computer

Update the registry values on test computer
Install custom agent on test computer
Use a standard user account to log-in on test computer

The user should be able to login without a login prompt from the Identity Agent, however we do get the loign prompt from the IA. To cache the credentials the following registry entry has been added:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\CheckPoint\IA\GatewaysData\10.110.101.62\AutomaticAthentication]

"UserAuthMethods"=dword:00000000

Now the first time we still get the login prompt but an added tickbox to allow credential saving, the next logon is automatic and no prompt is showing anymore.

The main question our customer has, can this first prompt also be overridden? My guess is that it cannot be done, but maybe someone has a idea how to do it?

Regards, Maarten

Andreas_Aust · ‎2019-05-15

Hi Martin,

look for "Transparent Kerberos SSO Authentication for Identity Agent" in the Idendity Awareness Administration Guide.

Maarten_Sjouw · ‎2019-05-15

Andreas,
All I can find there is Browser based login. This is not browser based.

Regards, Maarten

Andreas_Aust · ‎2019-05-15

Hi Martin,

Identity Awareness Administration Guide R80.30 Page 157 ff. In Short:

To configure AD for Kerberos:

1. Make a new user account (on page 149).

2. Open the command line (Start > Run > cmd).

3. Run: setspn -A ckp_pdp/<domain_full_dns_name> <username>

To see users associated with the principle name, run: setspn -Q ckp_pdp*/*

When done, configure an Account Unit (on page 150) in the SmartConsole, to use this account.

Best

-a

Are you a member of CheckMates?

Identity Agent - Auto Detecting gateway