- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
hello,
I need your help ^^
I just implemented Identity awareness. The client does not want to use AD query and would like to have transparent authentication.
I decided to set up the id awareness based on Kerberos authentication using the identity agent. The problem is that when I connect to the client machine with my domain name, the identity awareness asks me to retype my domain user and password to recognize me. Could you please tell me how to make this transparent? how can the identity agent recover my identity without retyping my user and password (i.e: by using the authentication data used during my first connection to my PC)?
Have you looked into Identity Collector option?
Identity Collector - Technical Overview
We have have it before it was called IDC and are very satisfied. As it says on the tin:
Plus nothing to install on the client.
We are 25000+ users organization and AD query was not built for that scale. plus we wanted to avoid any installs on the client.
Do you use a dedicated machine for that? since the collector require java env maybe some customer could argue with that choice
did you set the corresponding SPN?
yes I added the corresponding SPN on the AD (It is working when I enter manually my AD login and password on the Identity agent)
Hello,
Kaspars Zibarts: unfortunately we can not install anything on AD it's forbidden.
@Christian Stueckrath: yes I added the corresponding SPN on the AD (It is working when I enter manually my AD login and password on the Identity agent)
You don't need to install anything on actual domain controller. You add a new Windows machine that runs IDC. And it acts as a "proxy" between GW and AD. Reducing load on both. So yes - you will need at least one (or more depending on your network) windows machine (VM or physical) to install IDC.
By doing that we saw incredible reduction of CPU usage on gateway and also no more issues with actual domain controller as AD queries caused lots of headaches as it used WMI.
Yes, I agree with you I will present this solution to the client but the Identity Agent solution has been validated in CAB and it will be very difficult for the client to rollback :S
Just part of our daily lives took as nearly 2 years to get IA running as expected
Hello,
It was an SPN issue, it is working now, thank you all for your feedback.
Regards.
What was the SPN issue? Maybe I'm running into the same problem.
Hello,
To check if there is any SPN issue, make a flow capture with wireshark in your Kerberos server (Active directory) and filter kerberos flows and you will see the error.
Regards.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY