This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stuart_Green
Collaborator
‎2019-01-30 09:52 AM

Endpoint AD Authentication - Server 2016+

From the Endpoint Security Management Server R80.20 Administration Guide there's a process to get AD ready for kerberos authentication which looks like:

Running this on Server 2016 doesn't work as the command errors out with the following:

Targeting domain controller: domaincontroller.domain.com
Failed to retrieve values for property ?????????: 0x10.
Failed to set property 'servicePrincipalName' to 'cpepauthsrv/domain.com' on Dn 'CN=Check Point Endpoint Authentication,OU=Service Accounts,DC=domain,DC=com': 0x32.
WARNING: Unable to set SPN mapping data.
If cpepauth already has an SPN mapping installed for cpepauthsrv/domain.com, this is no cause for concern.
Failed to retrieve user info for cpepauth: 0x5.
Aborted.

What needs changing in order to make this work on Server 2016?

TIA

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2019-02-01 05:41 PM

Best to open a TAC case on this.

How To Open a Case with TAC and/or Account Services

Stuart_Green
Collaborator
‎2019-02-03 08:52 AM
In response to PhoneBoy

Cheers Dameon.  SR raised.

0 Kudos
Maksym_Sofer
Employee Alumnus
Employee Alumnus
‎2019-02-04 06:51 AM

As KTPASS is a Microsoft tool, I strongly suggest consulting with Microsoft support regarding this matter.

0 Kudos
Stuart_Green
Collaborator
‎2019-02-04 07:04 AM
In response to Maksym_Sofer

Then again, considering that Endpoint apparently needs this to be working, it's certainly an idea for this issue to be flagged up in this community so that we can share the solution, isn't it?  Fobbing it off as "a Microsoft issue" doesn't really cure the problem or help anyone else who has the same problem...

0 Kudos
Stuart_Green
Collaborator
‎2019-02-04 07:06 AM
In response to Maksym_Sofer

To add further clarification, it looks like Server 2016 needs more parameters than detailed in the Admin Guide so knowing what they need to be might be helpful...

0 Kudos
Maksym_Sofer
Employee Alumnus
Employee Alumnus
‎2019-02-04 08:40 AM
In response to Stuart_Green

My point was to get details from Microsoft as it can be much faster for the direct customer.

We will contact the development team for clarifications regarding this matter too.

0 Kudos
Stuart_Green
Collaborator
‎2019-02-04 09:17 AM
In response to Maksym_Sofer

No problem.

I do think there's a simple solution, though.  I've added this on to the sk but it seems that UAC could be causing the problem on Server 2016.  Running the following command:

   ktpass /princ cpepauthsrv/cpepauth.domain.com@DOMAIN.COM /mapuser cpepauth@DOMAIN.COM /pass C00l!Password /out cpepauth.keytab

under a command prompt which had been executed with the option "Run as Administrator" generated the following output:

Targeting domain controller: Dc1.domain.com
Successfully mapped cpepauthsrv/cpepauth.domain.com to cpepauth.
Password successfully set!
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to cpepauth.keytab:
Keytab version: 0x502
keysize 85 cpepauthsrv/cpepauth.domain.com@DOMAIN.COM ptype 0 (KRB5_NT_UNKNOWN) vno 4 etype 0x17 (RC4-HMAC) keylength 16 (0x95352e2ef03ebd4a5de4c2a922432bc1)

which follows the output of the Admin Guide more closely.

Note that the switch format in the command with the preceding '/' was taken from a Microsoft TechNet article.

0 Kudos
Maksym_Sofer
Employee Alumnus
Employee Alumnus
‎2019-02-05 01:22 AM

First of all, thank you for your time to check this.

The found changes in command and requirement to use elevated command prompt looks legit to us.

We checked with the development team regarding this - and they have confirmed that after applying the above changes, authentication should work properly.

Warning from the output of the ktpass command should be ignored.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events