This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oussama_Kadim1
Contributor
‎2018-03-01 02:53 PM

Identity awareness & Kerberos transparent auth ?

hello,

I need your help ^^

I just implemented Identity awareness. The client does not want to use AD query and would like to have transparent authentication.

I decided to set up the id awareness based on Kerberos authentication using the identity agent. The problem is that when I connect to the client machine with my domain name, the identity awareness asks me to retype my domain user and password to recognize me. Could you please tell me how to make this transparent? how can the identity agent recover my identity without retyping my user and password (i.e: by using the authentication data used during my first connection to my PC)?

0 Kudos
11 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2018-03-01 10:50 PM

Have you looked into Identity Collector option?

Identity Collector - Technical Overview 

We have have it before it was called IDC and are very satisfied. As it says on the tin:

Identity Collector key benefits over standard AD Query

  • Reduces the load on the Security Gateway - the agent is doing the queries instead of the Security Gateway.
  • Reduces the load on the DCs - the native Windows API used consumes less resources.
  • The Identity Collector requires no administrator or administrator-like permissions. Only permission required is read-only access to the domain security logs.
  • One Identity Collector can serve multiple Security Gateways, even from different CMA.

Plus nothing to install on the client.

We are 25000+ users organization and AD query was not built for that scale. plus we wanted to avoid any installs on the client.

0 Kudos
Marco_Valenti
Advisor
‎2018-03-02 12:39 AM
In response to Kaspars_Zibarts

Do you use a dedicated machine for that? since the collector require java env maybe some customer could argue with that choice

0 Kudos
cstueckrath
Collaborator
‎2018-03-02 12:19 AM

did you set the corresponding SPN?

0 Kudos
Oussama_Kadim1
Contributor
‎2018-03-02 01:20 AM
In response to cstueckrath

 yes I added the corresponding SPN on the AD (It is working when I enter manually my AD login and password on the Identity agent)

0 Kudos
Oussama_Kadim1
Contributor
‎2018-03-02 12:47 AM

Hello,

Kaspars Zibarts‌: unfortunately we can not install anything on AD it's forbidden.

@Christian Stueckrath: yes I added the corresponding SPN on the AD (It is working when I enter manually my AD login and password on the Identity agent)

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-03-02 01:02 AM
In response to Oussama_Kadim1

You don't need to install anything on actual domain controller. You add a new Windows machine that runs IDC. And it acts as a "proxy" between GW and AD. Reducing load on both. So yes - you will need at least one (or more depending on your network) windows machine (VM or physical) to install IDC.

By doing that we saw incredible reduction of CPU usage on gateway and also no more issues with actual domain controller as AD queries caused lots of headaches as it used WMI.

Oussama_Kadim1
Contributor
‎2018-03-02 01:10 AM
In response to Kaspars_Zibarts

Yes, I agree with you I will present this solution to the client but the Identity Agent solution has been validated in CAB and it will be very difficult for the client to rollback :S

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-03-02 02:00 AM
In response to Oussama_Kadim1

Just part of our daily lives Smiley Happy took as nearly 2 years to get IA running as expected 

Oussama_Kadim1
Contributor
‎2018-03-02 05:30 AM

Hello,

It was an SPN issue, it is working now, thank you all for your feedback.

Regards.

0 Kudos
Piet_vd_Maas_2
Participant
‎2018-12-17 04:26 AM
In response to Oussama_Kadim1

What was the SPN issue? Maybe I'm running into the same problem.

0 Kudos
Oussama_Kadim1
Contributor
‎2018-12-17 05:33 AM
In response to Piet_vd_Maas_2

Hello,

To check if there is any SPN issue, make a flow capture with wireshark in your Kerberos server (Active directory) and  filter kerberos flows and you will see the error.

Regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events