Unable to add new AD users to user access role aft...

Wang · ‎2019-03-03

Hello, which engineer has encountered this problem, can you help to solve it?

Mark_Mitchell · ‎2019-03-03

Hi Zhen,

Have you tried re-entering the password for the account you are using under the LDAP account unit configuration?

Also the account you are using to access AD is the account unlocked?

Regards

Mark

Wang · ‎2019-03-03

Hi,Mark

Hello, the current password is the password of the account being used, and the account has been unlocked. I can use the remote desktop of windowns to connect to the AD domain server

Regards

Zhen

Mark_Mitchell · ‎2019-03-03

Hi Zhen,

Have you tried re-entering the password into the configuration? Only reason I ask is that I have had similar experiences when pasting a password into the password fields. It populates the field, but actually keeps locking the account out.

It may be worth a shot? Another thing I would look for is the correct entry on the "Login DN" for the account you are using

It may be worth presenting your LDAP account unit config so we can take a look.

From what you have said the account you are using is a domain admin?

Regards

Mark

Wang · ‎2019-03-03

Hi,Mark

Hello, is this way of writing correct?

Regards

Zhen

Mark_Mitchell · ‎2019-03-04

Hi Zhen,

The login DN looks correct. Although I would recommend not using the built in administrator account. I would always create a "service account" for this purpose. That doesn't have more permissions than are needed for the account role.

Did you attempt to re-enter the password?

Regards

Mark

Wang · ‎2019-03-04

Hi,Mark

The password has been reentered,Now this account has been upgraded to have administrator privileges, there is still an error

Regards

Zhen

Mark_Mitchell · ‎2019-03-04

Thanks Zhen. Are there any errors within the logs using the below query.

Blade:"Identity Awareness".

Regards

Mark

Wang · ‎2019-03-04

Hi,Mark

Regards

Zhen

Mark_Mitchell · ‎2019-03-04

Can you confirm that you can perform a native ldap query against the DC outside of Check Point with the account that you are performing the action with?

If you can, this confirms that your AD Domain Controller and account are adequate for LDAP. If the ldap bind fails outside of Check Point, this may indicate an issue with the domain controller.

Regards

Mark

Maarten_Sjouw · ‎2019-03-04

Is there a FW between the management server and the AD server?

Second to that do you have a rule allowing the gateway to access the AD server? As the log says check SK58881.

Last question, is your management a Multi Domain server?

Regards, Maarten

Wang · ‎2019-03-04

Hello, there is no FW between them. Secondly, there are rules that allow gateway to access AD server. Secondly, instead of multi-domain server, a DNS is set up on the server

Maarten_Sjouw · ‎2019-03-04

Has this ever worked?

Does the user have full admin rights? Did anyone change anything there?

Regards, Maarten

Wang · ‎2019-03-05

The user has administrative rights, and nothing else has changed

Mark_Mitchell · ‎2019-03-05

Hi Zhen,

If everything checks on from an Active Directory domain controller point of view and the Check Point configuration is also correct (time, DNS servers, domain) etc. It then may be quicker to raise a call with TAC to investigate further.

Regards

Mark

Wang · ‎2019-03-06

Thank you very much

Sukru_isik · ‎2019-03-04

Can you check the time,are DC and checkpoint times same?

Karel_Mate · ‎2020-07-22

Hi,

Have you resolve this issue? Can you share the solution you have made? My client is experiencing this issue also.

Thanks,

Karel

Are you a member of CheckMates?

Unable to add new AD users to user access role after upgrade to R80.10