This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
Tuesday

Question about autentichation VPN

Hi mates,

I have a question: is it possible to configure a VPN gateway so that it authenticates users based on PN (Principal Name) instead of DN (Distinguished Name)?

If so, could you please advise how this can be configured?

Thanks in advance.

0 Kudos
18 Replies
simonemantovani
Collaborator
Tuesday

Hello

did you try to look to the Multiple Login options within the authetication sectioni in VPN clients configuration for the gatreway?

You should be able to authenticate users through UPN, check it if it could solve your problem.

0 Kudos
RemoteUser
Advisor
Tuesday
In response to simonemantovani

From here right?
DN.png

0 Kudos
Martijn
Advisor
Advisor
Tuesday

Hi,

Go to VPN Clients -> Authentication.

Add or Edit the Multiple Login Options. 'Username Password' might be there already.
Edit 'Username Password' and select 'User Directories' in the left pane.

Below you can select the 'Common Lookup Type' and set this to UPN.

Martijn

0 Kudos
RemoteUser
Advisor
Tuesday
In response to Martijn

What is the difference between logion options and user directories?
If i'm select Login Option and Edit the personal ertificate it's not the same thing? Or are two different things?


0 Kudos
simonemantovani
Collaborator
Tuesday
In response to RemoteUser

It depends on how you want authenticate the user; in case of user directories the user is authenticated to an external authentication server; personal certificate means that you're trying to authenticate using a certificate.

In your case, what is the scenario?

0 Kudos
RemoteUser
Advisor
Tuesday
In response to simonemantovani

in my case is that the users coonect using CAPI certificate

0 Kudos
Martijn
Advisor
Advisor
Tuesday
In response to RemoteUser

Hi,

The Login Option is what kind of authentication is supported. Personal Certificate, Username and Password or Dynamic ID. 
And in which order they must be placed.

So Username and Password can be the first login option, followed by Dynamic ID.

In User Directories, you configure what to look for when a user logs in. SAM Account name, DN or UPN.

Martijn

0 Kudos
RemoteUser
Advisor
Tuesday
In response to Martijn

So if i want to change the login option from DN to UPN i must do that under User Directories and not Login Option?
Right?

0 Kudos
Martijn
Advisor
Advisor
Tuesday
In response to RemoteUser

Yes, that's where I would start.

0 Kudos
RemoteUser
Advisor
Wednesday
In response to Martijn

Hi @Martijn 
Just for your information, I reviewed the documentation:

It explains that when selecting Personal Certificate as a login option, you can configure what information the Security Gateway sends to the LDAP server to parse the certificate. By default, it uses the DN, but it can also be configured to use the user’s email address or serial number instead.

The documented steps are:

  1. In the Multiple Authentication Clients Settings table on the Authentication page, select a Personal_Certificate entry and click Edit.

  2. In the Authentication Settings section, under Fetch Username from, select the information the Security Gateway should use to parse the certificate.

  3. Click OK.

  4. Install the policy.

There is no mention of changes required in the user directories. Make sense?

simonemantovani
Collaborator
Thursday
In response to RemoteUser

Because, probably, it uses the default configuration in "user directories" that is Automatic Configuration (instead of selecting precisely which type of user directory to use).

In any case make sense, in case you could select Manual Configuration and select the LDAP users option, and also select the right LDAP Lookup Type (and for example select Email Address, that usually is the same as UPN).

0 Kudos
the_rock
MVP Diamond
MVP Diamond
Thursday
In response to RemoteUser

Hey brother,

Were you able to sort this out?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
Thursday
In response to the_rock

Hi Andy,

How are you?

To be honest, I’m even more confused now. I reached out to TAC and they gave me a completely different answer, which is the following: (OpenOptional - UPN with Machine Certificate)
https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_RemoteAccessVPN_AdminGuide/Content...

0 Kudos
the_rock
MVP Diamond
MVP Diamond
Thursday
In response to RemoteUser

Im good! How are you?

But wait, you dont want to do certificate auth, do you?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
Thursday
In response to the_rock

i'm fine andy thank you.
let me explain:

AUTHENTICATION in our case takes place in two ways: either through MFA or through CAPI certificate authentication.

However, in this specific case, we want the Gateway to perform the user validation based on the UPN (User Principal Name) instead of the DN (Distinguished Name) when using CAPI certificate authentication.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
Thursday
In response to RemoteUser

Ah, I get it now! So what TAC sent seems right, but I could not see in that link exact method you want to implement. Let me do some more research and see what I can find for you.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
Thursday
In response to the_rock

in the link that i sent tac told me it's point 6

0 Kudos
the_rock
MVP Diamond
MVP Diamond
Thursday
In response to RemoteUser

Got it! I just ran this through AI and below is what it gave me:

***************************************************************

Method: Configure UPN Mapping in the Certificate

1. Ensure the certificate contains the UPN

The user certificate must include the UPN in the Subject Alternative Name (SAN) field.

Typical format:

 
Subject Alternative Name:
Other Name: UPN=user@domain.com
 

If the certificate does not contain this, the gateway cannot map it.

2. Configure the Identity Source to Use UPN

In SmartConsole:

  1. Go to
    Gateway → Identity Awareness

  2. Under Authentication Methods, open the settings for Certificate (CAPI).

  3. Configure User Name Extraction to use:

 
Subject Alternative Name → UPN
 

instead of:

 
Subject DN
 

3. Ensure AD Identity Source Supports UPN Lookup

Your Active Directory identity source must allow lookup by userPrincipalName.

This normally works automatically if the AD query account is configured.

4. Optional: Configure LDAP Mapping

If the gateway still attempts DN matching, verify the LDAP attribute mapping:

 
userPrincipalName
 

instead of:

 
distinguishedName
 

How the Flow Works After the Change

  1. User connects to the gateway.

  2. Client presents certificate.

  3. Gateway extracts:

 
UPN = user@domain.com
 

  1. Gateway queries AD:

 
(userPrincipalName=user@domain.com)
 

  1. Identity Awareness maps the user successfully.

Quick Verification

On the gateway CLI you can check identities with:

 
pdp monitor all
 

or

 
pep show user all
 

This will show whether the username is being mapped as UPN or DN.

💡 Important:
Many issues occur because the certificate contains the UPN in SAN but the gateway still reads the Subject DN, so confirming the SAN extraction setting is key.

If you'd like, I can also show you:

  • the exact SmartConsole menu path and screenshots for this setting

  • the Check Point sk article references that explain the UPN certificate mapping (these are not very obvious in the documentation).

 
yes please
 

Great — I’ll show you what it looks like in the GUI and the relevant Check Point documentation references so you can verify the configuration.

1. SmartConsole Configuration (UPN instead of DN)

In Check Point SmartConsole, the setting is under the gateway’s Remote Access / Identity configuration.

Path

 
Gateway Object
→ Remote Access VPN
→ Authentication
→ Login Options (Realm)
 

Inside the Login Option / Realm used for certificate authentication:

Certificate Username Extraction

Set:

 
Fetch username from:
Subject Alternative Name → UPN
 

Instead of:

 
Subject DN
 

LDAP Lookup Type

Under User Directories in the same Login Option:

 
Common Name Lookup Type:
User-Principal-Name (UPN)
 

instead of:

 
Distinguished Name
 

2. What the Certificate Must Contain

The certificate must include UPN in the SAN field.

Example:

 
Subject:
CN = John Doe

Subject Alternative Name:
Other Name: Principal Name = john.doe@company.com
 

Authentication flow becomes:

 
Certificate → extract UPN from SAN
UPN = john.doe@company.com

LDAP query:
(userPrincipalName=john.doe@company.com)
 

UPN-based mapping relies on the SAN field, which is the standard way to map certificates to AD users.

3. Known Behavior / Gotcha in Check Point

There is a common issue where Identity Awareness / PDP still uses the default realm, ignoring custom parsing rules.

This happens when:

  • Login Option parsing rules were changed

  • But the PDP still references the default "vpn" realm

This behavior is documented in Check Point bug tracking related to certificate parsing rules for UPN extraction.

In those cases:

  • The gateway extracts the UPN

  • But LDAP lookup still happens using DN

4. Debug Commands (Very Useful)

On the Check Point Gaia OS gateway:

See extracted identity

 
pdp monitor all
 

Show authenticated users

 
pep show user all
 

Identity awareness debugging

 
pdp debug on
 

Logs appear in:

 
/var/log/pdp/
 

Look for lines like:

 
Extracted username from certificate: user@domain.com
LDAP lookup attribute: userPrincipalName
 

5. SK Articles Worth Checking

These are the most relevant Check Point Software Technologies knowledge articles for this topic:

  • sk61060 – Certificate authentication with LDAP

  • sk172319 – Identity Awareness certificate authentication troubleshooting

  • sk174084 – Realm parsing rules ignored for certificate authentication

  • sk113410 – VPN certificate authentication with LDAP

6. Quick Troubleshooting Checklist

If UPN mapping fails, check:

✔ Certificate SAN contains UPN
✔ Login Option extracts SAN → UPN
✔ LDAP lookup type = userPrincipalName
✔ Correct Login Option / Realm used by gateway
✔ AD user attribute userPrincipalName matches certificate

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events