Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lesley
Leader Leader
Leader

Identity Collector - domain user password change

Hi everyone,

Regarding the current CVE I wanted to change the LDAP password that is used by the gateway. (LDAP account unit).

For this we use one domain user, this user is used in the LDAP account unit, but also on our 2 IDC machines.

We changed the password in AD and we can use the new password to login with RDP. Also we changed in Smart Console and we are able to browse the AD in Smart Console after policy push. 

After that I wanted to update the password on the Collector, first on one server. After password change it gave an error that the password was incorrect and status changed from green to red for all configured domain servers. Strangely the other collector that has not been touched kept working despite that the password was changed in AD. It should not be able to work with the old password still in config.

On the problematic IDC system I did a reboot, but also cleared all configuration in the application. So make new filter, domains etc. 

It get stuck here: https://sc1.checkpoint.com/documents/Identity_Awareness_Clients_Admin_Guide/Content/Topics/Identity-...

Under section: Add Domain Controllers manually one at a time

If you press test, it gives the incorrect password error. Was thinking maybe the patch(cve patch) had an effect on it, so removed the patch make the gateway active and tested again, but sadly it did not help (I saw in tcptump if I press test the IDC connects also with IA gateway). 

Luck for me we had the old password in the vault and used that again. After putting back the old password the IDC system started to work again. Second what I noticed is that if I press test to much, the users get's locked in AD. We also tried to make a new user but did also not helped. Why is the IDC not using the new password even after reboot and clear of all configuration related to AD?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
5 Replies
PhoneBoy
Admin
Admin

I assume failed login attempts would cause the account to get locked in AD per your GPO settings.
However, "old" credentials sounds like a caching issue somewhere on the AD side of things.
Have you opened a TAC case?

0 Kudos
Lesley
Leader Leader
Leader

No TAC case yet, was thinking maybe to create some debugs.

Cache issue on AD I am not sure more I think on collector. We attached around 5 AD servers in the IDC config and all gave the invalid password error. Testing the new password via RDP worked. Also we tried to create a new user, same issue. As final step we used a domain admin account also invalid password (this last one did not had a password change, so it would rule out that it could be caching on AD server). 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
PhoneBoy
Admin
Admin

Yeah, definitely sounds like some debugs are needed somewhere.

0 Kudos
EY
Contributor

@Lesley - Did you ever find a resolution to this?  If so, could you share?  Thank you!

0 Kudos
Lesley
Leader Leader
Leader

No, enabled debugs on the IDC. Tried again with new AD user and all was good. 

Before I also tested with new AD user and that was not the issue. Maybe it was related to cache.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events