Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rogergh
Explorer

LDAP Account Unit authentication request missing integrity support

Hi.

Our domain controllers require integrity checks for RPC-calls, and it does not seem like Check Point Management\Security Gateway honors the requirement, and then fails to connect. This error is logged on our domain controllers:

The server-side authentication level policy does not allow the user REDACTEDUSER from address REDACTEDIP to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

Where REDACTEDUSER is the user account specified in domain controller authentication in the LDAP Account Unit, and REDACTEDIP is gateway and security gateway-adresses.

Here is a link to Microsoft-information regarding different RPC authentication-levels:

[MS-RPCE]: Authentication Levels | Microsoft Docs

 

Is there a way to enable this, or is it just not supported?

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

The only place I think we made actual RPC calls is when ADQuery is used (versus Identity Collector).
Otherwise, we're just making LDAP calls.
Are you using ADQuery?

0 Kudos
rogergh
Explorer

Yes, we have Active Directory Query activated, but we also have a collector up and running. Does Collector replace all functionality from AD Query? If yes, then I guess we could just disable it and not worry about this.

Running "adlog a dc" also gives the following error from the same DCs which gives RPC-warnings for Check Point: "connection had internal error [ntstatus = 0x80010111"

0 Kudos
PhoneBoy
Admin
Admin

They both do the same thing, albeit using entirely different mechanisms.
Identity Collector is a LOT more scalable and doesn't cause as much load on the Active Directory servers.

0 Kudos