Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Moudar
Advisor

Identity Awareness and AD

Hi

I am trying the Identity Awareness blade in my lab. when activating the Identity Awareness blade it says "Domain administrator credentials are required"

The AD account I am using to do that is a domain administrator, but even though i get this: "Standard user cerdentials"!

awareness1.JPG

 

These are the groups that the AD account is member of:

awareness2.JPG

What do I miss here?

0 Kudos
11 Replies
Moudar
Advisor

I wonder why no one is looking at my problem!!

0 Kudos
ikafka
Collaborator

Hi @Moudar 

 

Maybe you can check this page.

Identity Awernes Admin Guide 

"Important - For AD Query you must enter domain administrator credentials. For Browser-Based Authentication standard credentials are sufficient."

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Which Version/Jumbo & SmartConsole build is used in this environment?

Have you already performed troubleshooting such as sk91040?

Note Identity Collector (rather than ADquery) is the current recommended method for integrating AD with Identity Awareness.

CCSM R77/R80/ELITE
Moudar
Advisor

I am using this version:

 show version all
Product version Check Point Gaia R81.20
OS build 631
OS kernel version 3.10.0-1160.15.2cpx86_64
OS edition 64-bit

when I run: "adlog a dc" I get this:

[Expert@A-GW-01:0]# adlog a dc
Domain controllers:
Domain Name               IP Address                Events (last hour)   Connection state
============================================================================================================
a-ldap.a-ldap.lab         192.168.11.101            0                    connection had internal error [ntstatus = 0x80010111]

Ignored domain controllers on this gateway:
No ignored domain controllers found.

I am 100% sure that the user is domain admin and the password is right!!

0 Kudos
Don_Paterson
Advisor
Advisor

Hi Chris,
Is that recommended (or Best Practice maybe) documented anywhere, so that you can share a link or SK?

I agree with you but want to see if R&D have documented it anywhere.

Don

 

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure this is expected behavior in modern environments.
See: https://support.checkpoint.com/results/sk/sk91462
Specifically, if NTMLv2 is enabled (which is the default) this wizard will fail.

Moudar
Advisor

adlogconfig a

 - No configuration exists


[ ] Override configuration
   [ ] Enable Adlog
      [ ] Enable log for login or logoff
      [ ] Use log original creation time
          Association timeout                : 0
          Full Name Query Interval (days, 0=disabled) : 0
          Full Name Fetch Hour               : 0
          Multi-user host Detection Threshold: 7
          Revoked user timeout interval      : 14400
      [X] Enable Multi-User Host persistence DB
          Multi-User Host persistence machine timeout (minutes): 2592000
          Service Account Detection Threshold: 10
      [ ] Automatically Exclude Service Accounts
[ ] Override default communication parameters
          Query Within count                 : 0
          Query Max returned objects in each iteration: 0
[X] Disable password expiration check
[ ] Authentication mode
   [ ] Use NTLMv1
   [X] Use NTLMv2
[ ] Single User Assumption
[ ] Don't report machines
[X] LDAP groups update notifications
          Notifications accumulation time    : 10 (sec)
      [X] Notify only user-related LDAP changes
[ ] Prefer IPv6 DC addresses
[1] WMI query Type

As you can see NTLMv2 is enabled.

I will follow sk91462 and come back with results

0 Kudos
Moudar
Advisor

adlogconfig a


[ ] Override configuration
   [ ] Enable Adlog
      [ ] Enable log for login or logoff
      [ ] Use log original creation time
          Association timeout                : 0
          Full Name Query Interval (days, 0=disabled) : 0
          Full Name Fetch Hour               : 0
          -------------------
          Domain name                        : A-LDAP.lab
          Username                           : moudar
          Domain Controllers                 : A-LDAP.A-LDAP.lab
          -------------------
          Multi-user host Detection Threshold: 7
          Revoked user timeout interval      : 14400
      [X] Enable Multi-User Host persistence DB
          Multi-User Host persistence machine timeout (minutes): 2592000
          Service Account Detection Threshold: 10
      [ ] Automatically Exclude Service Accounts
[ ] Override default communication parameters
          Query Within count                 : 0
          Query Max returned objects in each iteration: 0
[X] Disable password expiration check
[ ] Authentication mode
   [X] Use NTLMv1
   [ ] Use NTLMv2
[ ] Single User Assumption
[ ] Don't report machines
[X] LDAP groups update notifications
          Notifications accumulation time    : 10 (sec)
      [X] Notify only user-related LDAP changes
[ ] Prefer IPv6 DC addresses
[1] WMI query Type
 adlogconfig a -test A-LDAP.lab
Testing A-LDAP.A-LDAP.lab:      Internal Error

Now I am using NTLMv1 but still have problem with Identity Awareness Configuration wizard:

identity.JPG

0 Kudos
PhoneBoy
Admin
Admin

I don’t believe the wizard supports LDAPS either, which I assume modern AD servers require. 
However the wizard is not required to configure Identity Awareness. 

0 Kudos
Moudar
Advisor

I became sick of trying to use AD query. 

Now I am using Identity collector and it is running well. But I needed to follow sk113021 to make it connect to the VIP.

0 Kudos
cassiomaciel
Contributor
Contributor

Hi, 

Did you try  to use command test_ad_ connectivity from gateway? 

I suggest to review or create the domain object directly. 

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events