Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dehaasm
Collaborator

Identity awareness collector changes user identity for same IP while connecting to RDP

Hi All we have something strange with Identity Awareness collector installed on server, let me explain;

A client with IP 10.0.0.1 (example) connects to the gateway and the Idenitity awareness collector identifies the user as nick. When the same user/client IP established a RDP connection to external server 192.168.1.1 (example) and logs into that remote server as nick-admin the gateway receives an identity update from the identity awareness collector indicating that 10.0.0.1 is nick-admin which is obviously not correct. We would expect the external server IP 192.168.1.1 to be nick-admin and the 10.0.0.1 to remain nick.

How is this possible that the IA collector is identifying the user incorrectly on the laptop?

note: this issue is easy to reproduce and I wonder if we need to open TAC case and/or understand if there is somehing we need to adjust on the IA collector?

0 Kudos
(1)
29 Replies
Chris_Atkinson
Employee Employee
Employee

Within the Identity Collector Advanced configuration how is the following option currently set?

"Ignore RDP events"

Also which IDC version is installed?

 

Refer also:

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_IdentityAwareness_AdminGuide...

CCSM R77/R80/ELITE
0 Kudos
dehaasm
Collaborator

Hi Chris,

Yes it is enabled see screenshot and we have build 81.0.40.0000, should we open TAC case as it is not behaving "as designed" correct?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Based on the limited info available I would say it warrants an SR with TAC for further investigation, yes.

CCSM R77/R80/ELITE
0 Kudos
dede79
Contributor

Hello,

I have excatly the same issue that the identity of the remotedesktop client is change with the user that is used for rdp.

I have the setting enabled but it says that it is only relevant for "RDP to Domain Controllers" - in my case we have RDP to clients and various servers.

Can this event be filtered in any other way?

0 Kudos
Jimmy_Noel
Participant

Are there any updates in this case?
We have the same problem. RDP-Login triggers an Eventlog (Event ID 4769) for the local IP and remote User.
(We have IC Build 81.028.0000, with enabled option "Ignore events of RDP to Domain Controllers")
Is there any possibility to ignore this event id?

0 Kudos
RK91
Explorer

Hi Any News? We have the same issue.  RDP login to a remote Server triggers an Login Event on the RDP Client

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Sorry I'm not aware of the outcome of the above.

If you are seeing issues with IDC R81.069.0000 please report the problem to TAC.

CCSM R77/R80/ELITE
0 Kudos
dehaasm
Collaborator

Hi Guys it was some time ago but we never resolved the issue, I didn't escalate it to TAC but I believe that is the right thing to do for this.

0 Kudos
RK91
Explorer

Hi dehaasm, do you escaltet it ? 

Thanks & regards

0 Kudos
CheckPointerXL
Advisor
Advisor

are you running latest IDC version? i've just upgraded from a very old version and no more rdp events are triggered

0 Kudos
RK91
Explorer

we are running Build: 81.069.0000 

0 Kudos
RK91
Explorer

Always when I log in from the Source "host A" (logged in with User A)  to a Destination "host B" (with user B), it also triggers an login on "host A" with "user B". That is very annoying.

After some time or do some work or lock "host A" and unlock "host A" with "user A" it triggers the login agian back to "user A"

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

As above if you already have the "Ignore RDP events" option configured and are using IDC 81.069.0000 I would recommend engaging with TAC to troubleshoot the issue.

CCSM R77/R80/ELITE
0 Kudos
Daniel_Hainich
Collaborator

i have the same Problem. problem still exists in IDC 81.069.0000 and also R82.002.0000. Checkbox for ignoring RDP-Events is checked. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Is it for a terminal server or a standard PC ?

For non-DC machines you would typically explore either configuring an exclusion or use of the terminal server / MUH identity agent.

CCSM R77/R80/ELITE
0 Kudos
Daniel_Hainich
Collaborator

this is for all rdp-connections. either to an pc or an server. if i open the windows rdp-client and connect to an rdp-enabled windows-device, the identity of my local device is changed to the user which iam using for remote access.

event type 10 is logged within domain-controller, but not filtered from identity collector.

0 Kudos
dehaasm
Collaborator

yes correct i had the same issue as you described it is probably a bug

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Are you certain that the event type 10 is seen at the DC level and not just at the endpoint itself?

CCSM R77/R80/ELITE
0 Kudos
Daniel_Hainich
Collaborator

hi, yes i can confirm that logontype 10 is generated on DC.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

For awareness Harmony Endpoint will also provide an option for overcoming such scenarios in future.

CCSM R77/R80/ELITE
0 Kudos
Daniel_Hainich
Collaborator

nice, but its not an solution for the identity collector. i opened an support case. 

0 Kudos
RK91
Explorer

OK, thank you, let us know if you have any news about this, we would certainly be interested in that too - because the problem is really very annoying

0 Kudos
Daniel_Hainich
Collaborator

the case was escalated to an TAC for further assistance... stay tuned!

0 Kudos
PhoneBoy
Admin
Admin

The problem is that these events are seen in AD...which is consumed by IDC...and we see them.
To the best of my knowledge, there is currently no way for us to differentiate these events in IDC.
Therefore, the problem you have.

In the future, using Infinity Identity, we will be able to handle this use case.
Specifically, it will require an agent (Harmony Endpoint in the EA, others in the future) that will see the Type 10 login event on the Endpoint itself...and properly ignore it. 

Hopefully I explained this right @Royi_Priov 🙂 

Daniel_Hainich
Collaborator

hi dameon,

from checkpoint idc adv. config guide:

 

Ignore RDP events

During Remote Desktop login, two login events occur in the Domain Controller. The two login events have the same username but two different IP addresses: the computer where the user logs in and the computer that the user accesses remotely.

In this option, the Identity Collector ignores the IP address of the computer where the user logs in because it is redundant. This is the default option.

The Event ID of the ignored event is 4624.

The Type of the ignored event is 10.

 

so why the event id and logon typ is not ignored? whats the function of this option?

0 Kudos
RK91
Explorer

Yes then I don't know why the option "ignore RDP events" even exists?

0 Kudos
PhoneBoy
Admin
Admin

I'm guessing the reason this new functionality is being developed is because this isn't sufficient in all cases.

Have you confirmed that you are receiving an event ID of 4624 of type 10?
If so, then you should open a TAC case.

 

0 Kudos
Daniel_Hainich
Collaborator

Hi, here is the answer from Checkpoint.

 


There is no possibility to ignore all RDP events (only RDP for the DC side) while using the Identity collector.
 
You can try to use an identity agent as a workaround which is not based on events.

 
I'm proceeding with closing this service request as there is no technical issue and this is an expected behavior.
If you require any assistance with the identity agent - you can contact your local office for further assistance.

 

i dont know why they wont ignore all event ID of 4624 of type 10. this shouldnt be a huge problem. why only for rdp to dc´s?

iam trying to escalate my ticket.

0 Kudos
RK91
Explorer

OK, thanks, let us know if anything happens - in my opinion it should be possible to ignore these events without any problems. Above all, the problem can actually be reproduced.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events