Identity Awareness and AD

Moudar · ‎2023-11-16

Hi

I am trying the Identity Awareness blade in my lab. when activating the Identity Awareness blade it says "Domain administrator credentials are required"

The AD account I am using to do that is a domain administrator, but even though i get this: "Standard user cerdentials"!

These are the groups that the AD account is member of:

What do I miss here?

Moudar · ‎2023-11-19

I wonder why no one is looking at my problem!!

ikafka · ‎2023-11-19

Hi @Moudar

Maybe you can check this page.

Identity Awernes Admin Guide

"Important - For AD Query you must enter domain administrator credentials. For Browser-Based Authentication standard credentials are sufficient."

Chris_Atkinson · ‎2023-11-20

Which Version/Jumbo & SmartConsole build is used in this environment?

Have you already performed troubleshooting such as sk91040?

Note Identity Collector (rather than ADquery) is the current recommended method for integrating AD with Identity Awareness.

CCSM R77/R80/ELITE

Moudar · ‎2023-11-20

I am using this version:

 show version all
Product version Check Point Gaia R81.20
OS build 631
OS kernel version 3.10.0-1160.15.2cpx86_64
OS edition 64-bit

when I run: "adlog a dc" I get this:

[Expert@A-GW-01:0]# adlog a dc
Domain controllers:
Domain Name               IP Address                Events (last hour)   Connection state
============================================================================================================
a-ldap.a-ldap.lab         192.168.11.101            0                    connection had internal error [ntstatus = 0x80010111]

Ignored domain controllers on this gateway:
No ignored domain controllers found.

I am 100% sure that the user is domain admin and the password is right!!

Don_Paterson · ‎2023-12-05

Hi Chris,
Is that recommended (or Best Practice maybe) documented anywhere, so that you can share a link or SK?

I agree with you but want to see if R&D have documented it anywhere.

Don

PhoneBoy · ‎2023-11-20

Pretty sure this is expected behavior in modern environments.
See: https://support.checkpoint.com/results/sk/sk91462
Specifically, if NTMLv2 is enabled (which is the default) this wizard will fail.

Moudar · ‎2023-11-21

adlogconfig a

 - No configuration exists


[ ] Override configuration
   [ ] Enable Adlog
      [ ] Enable log for login or logoff
      [ ] Use log original creation time
          Association timeout                : 0
          Full Name Query Interval (days, 0=disabled) : 0
          Full Name Fetch Hour               : 0
          Multi-user host Detection Threshold: 7
          Revoked user timeout interval      : 14400
      [X] Enable Multi-User Host persistence DB
          Multi-User Host persistence machine timeout (minutes): 2592000
          Service Account Detection Threshold: 10
      [ ] Automatically Exclude Service Accounts
[ ] Override default communication parameters
          Query Within count                 : 0
          Query Max returned objects in each iteration: 0
[X] Disable password expiration check
[ ] Authentication mode
   [ ] Use NTLMv1
   [X] Use NTLMv2
[ ] Single User Assumption
[ ] Don't report machines
[X] LDAP groups update notifications
          Notifications accumulation time    : 10 (sec)
      [X] Notify only user-related LDAP changes
[ ] Prefer IPv6 DC addresses
[1] WMI query Type

As you can see NTLMv2 is enabled.

I will follow sk91462 and come back with results

Moudar · ‎2023-11-21

adlogconfig a


[ ] Override configuration
   [ ] Enable Adlog
      [ ] Enable log for login or logoff
      [ ] Use log original creation time
          Association timeout                : 0
          Full Name Query Interval (days, 0=disabled) : 0
          Full Name Fetch Hour               : 0
          -------------------
          Domain name                        : A-LDAP.lab
          Username                           : moudar
          Domain Controllers                 : A-LDAP.A-LDAP.lab
          -------------------
          Multi-user host Detection Threshold: 7
          Revoked user timeout interval      : 14400
      [X] Enable Multi-User Host persistence DB
          Multi-User Host persistence machine timeout (minutes): 2592000
          Service Account Detection Threshold: 10
      [ ] Automatically Exclude Service Accounts
[ ] Override default communication parameters
          Query Within count                 : 0
          Query Max returned objects in each iteration: 0
[X] Disable password expiration check
[ ] Authentication mode
   [X] Use NTLMv1
   [ ] Use NTLMv2
[ ] Single User Assumption
[ ] Don't report machines
[X] LDAP groups update notifications
          Notifications accumulation time    : 10 (sec)
      [X] Notify only user-related LDAP changes
[ ] Prefer IPv6 DC addresses
[1] WMI query Type

 adlogconfig a -test A-LDAP.lab
Testing A-LDAP.A-LDAP.lab:      Internal Error

Now I am using NTLMv1 but still have problem with Identity Awareness Configuration wizard:

PhoneBoy · ‎2023-11-21

I don’t believe the wizard supports LDAPS either, which I assume modern AD servers require.
However the wizard is not required to configure Identity Awareness.

Moudar · ‎2023-11-21

I became sick of trying to use AD query.

Now I am using Identity collector and it is running well. But I needed to follow sk113021 to make it connect to the VIP.

cassiomaciel · ‎2023-11-21

Hi,

Did you try to use command test_ad_ connectivity from gateway?

I suggest to review or create the domain object directly.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

Are you a member of CheckMates?

Identity Awareness and AD