Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copper

Unable to add new AD users to user access role after upgrade to R80.10

Hello, which engineer has encountered this problem, can you help to solve it?

0 Kudos
16 Replies
Highlighted

Hi Zhen,

Have you tried re-entering the password for the account you are using under the LDAP account unit configuration?

Also the account you are using to access AD is the account unlocked?

Regards

Mark

0 Kudos
Highlighted
Copper

Hi,Mark

Hello, the current password is the password of the account being used, and the account has been unlocked. I can use the remote desktop of windowns to connect to the AD domain server

Regards

Zhen

0 Kudos
Highlighted

Hi Zhen,

Have you tried re-entering the password into the configuration? Only reason I ask is that I have had similar experiences when pasting a password into the password fields. It populates the field, but actually keeps locking the account out.

It may be worth a shot? Another thing I would look for is the correct entry on the "Login DN" for the account you are using 

It may be worth presenting your LDAP account unit config so we can take a look. 

From what you have said the account you are using is a domain admin? 

Regards

Mark

0 Kudos
Highlighted
Copper

Hi,Mark

Hello, is this way of writing correct?

Regards

Zhen

0 Kudos
Highlighted

Hi Zhen,

The login DN looks correct. Although I would recommend not using the built in administrator account. I would always create a "service account" for this purpose. That doesn't have more permissions than are needed for the account role. 

Did you attempt to re-enter the password?

Regards

Mark

0 Kudos
Highlighted
Copper

Hi,Mark

The password has been reentered,Now this account has been upgraded to have administrator privileges, there is still an error

Regards

Zhen

 

0 Kudos
Highlighted

Thanks Zhen. Are there any errors within the logs using the below query.

Blade:"Identity Awareness".

Regards

Mark

0 Kudos
Highlighted
Copper

Hi,Mark

Regards

Zhen

0 Kudos
Highlighted

Can you confirm that you can perform a native ldap query against the DC outside of Check Point with the account that you are performing the action with?

If you can, this confirms that your AD Domain Controller and account are adequate for LDAP. If the ldap bind fails outside of Check Point, this may indicate an issue with the domain controller. 

Regards

Mark

0 Kudos
Highlighted

Is there a FW between the management server and the AD server?

Second to that do you have a rule allowing the gateway to access the AD server? As the log says check SK58881.

Last question, is your management a Multi Domain server?

Regards, Maarten
Highlighted
Copper

Hello, there is no FW between them. Secondly, there are rules that allow gateway to access AD server. Secondly, instead of multi-domain server, a DNS is set up on the server

0 Kudos

Has this ever worked?

Does the user have full admin rights? Did anyone change anything there?

Regards, Maarten
0 Kudos
Highlighted
Copper

  • The user has administrative rights, and nothing else has changed

0 Kudos
Highlighted

Hi Zhen, 

If everything checks on from an Active Directory domain controller point of view and the Check Point configuration is also correct (time, DNS servers, domain) etc. It then may be quicker to raise a call with TAC to investigate further. 

Regards

Mark

0 Kudos
Highlighted
Copper

Thank you very much

0 Kudos
Highlighted
Nickel

Can you check the time,are DC and checkpoint times same? 

0 Kudos