cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Wang
Nickel

Unable to add new AD users to user access role after upgrade to R80.10

Hello, which engineer has encountered this problem, can you help to solve it?

0 Kudos
16 Replies

Re: Unable to add new AD users to user access role after upgrade to R80.10

Hi Zhen,

Have you tried re-entering the password for the account you are using under the LDAP account unit configuration?

Also the account you are using to access AD is the account unlocked?

Regards

Mark

0 Kudos
Wang
Nickel

Re: Unable to add new AD users to user access role after upgrade to R80.10

Hi,Mark

Hello, the current password is the password of the account being used, and the account has been unlocked. I can use the remote desktop of windowns to connect to the AD domain server

Regards

Zhen

0 Kudos

Re: Unable to add new AD users to user access role after upgrade to R80.10

Hi Zhen,

Have you tried re-entering the password into the configuration? Only reason I ask is that I have had similar experiences when pasting a password into the password fields. It populates the field, but actually keeps locking the account out.

It may be worth a shot? Another thing I would look for is the correct entry on the "Login DN" for the account you are using 

It may be worth presenting your LDAP account unit config so we can take a look. 

From what you have said the account you are using is a domain admin? 

Regards

Mark

0 Kudos
Wang
Nickel

Re: Unable to add new AD users to user access role after upgrade to R80.10

Hi,Mark

Hello, is this way of writing correct?

Regards

Zhen

0 Kudos

Re: Unable to add new AD users to user access role after upgrade to R80.10

Hi Zhen,

The login DN looks correct. Although I would recommend not using the built in administrator account. I would always create a "service account" for this purpose. That doesn't have more permissions than are needed for the account role. 

Did you attempt to re-enter the password?

Regards

Mark

0 Kudos
Wang
Nickel

Re: Unable to add new AD users to user access role after upgrade to R80.10

Hi,Mark

The password has been reentered,Now this account has been upgraded to have administrator privileges, there is still an error

Regards

Zhen

 

0 Kudos

Re: Unable to add new AD users to user access role after upgrade to R80.10

Thanks Zhen. Are there any errors within the logs using the below query.

Blade:"Identity Awareness".

Regards

Mark

0 Kudos
Wang
Nickel

Re: Unable to add new AD users to user access role after upgrade to R80.10

Hi,Mark

Regards

Zhen

0 Kudos

Re: Unable to add new AD users to user access role after upgrade to R80.10

Can you confirm that you can perform a native ldap query against the DC outside of Check Point with the account that you are performing the action with?

If you can, this confirms that your AD Domain Controller and account are adequate for LDAP. If the ldap bind fails outside of Check Point, this may indicate an issue with the domain controller. 

Regards

Mark

0 Kudos

Re: Unable to add new AD users to user access role after upgrade to R80.10

Is there a FW between the management server and the AD server?

Second to that do you have a rule allowing the gateway to access the AD server? As the log says check SK58881.

Last question, is your management a Multi Domain server?

Regards, Maarten
Wang
Nickel

Re: Unable to add new AD users to user access role after upgrade to R80.10

Hello, there is no FW between them. Secondly, there are rules that allow gateway to access AD server. Secondly, instead of multi-domain server, a DNS is set up on the server

0 Kudos

Re: Unable to add new AD users to user access role after upgrade to R80.10

Has this ever worked?

Does the user have full admin rights? Did anyone change anything there?

Regards, Maarten
0 Kudos
Wang
Nickel

Re: Unable to add new AD users to user access role after upgrade to R80.10

  • The user has administrative rights, and nothing else has changed

0 Kudos

Re: Unable to add new AD users to user access role after upgrade to R80.10

Hi Zhen, 

If everything checks on from an Active Directory domain controller point of view and the Check Point configuration is also correct (time, DNS servers, domain) etc. It then may be quicker to raise a call with TAC to investigate further. 

Regards

Mark

0 Kudos
Wang
Nickel

Re: Unable to add new AD users to user access role after upgrade to R80.10

Thank you very much

0 Kudos
Highlighted
Sukru_isik
Nickel

Re: Unable to add new AD users to user access role after upgrade to R80.10

Can you check the time,are DC and checkpoint times same? 

0 Kudos