This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rogergh
Explorer
‎2021-10-21 04:00 AM

LDAP Account Unit authentication request missing integrity support

Hi.

Our domain controllers require integrity checks for RPC-calls, and it does not seem like Check Point Management\Security Gateway honors the requirement, and then fails to connect. This error is logged on our domain controllers:

The server-side authentication level policy does not allow the user REDACTEDUSER from address REDACTEDIP to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

Where REDACTEDUSER is the user account specified in domain controller authentication in the LDAP Account Unit, and REDACTEDIP is gateway and security gateway-adresses.

Here is a link to Microsoft-information regarding different RPC authentication-levels:

[MS-RPCE]: Authentication Levels | Microsoft Docs

 

Is there a way to enable this, or is it just not supported?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-10-21 08:16 AM

The only place I think we made actual RPC calls is when ADQuery is used (versus Identity Collector).
Otherwise, we're just making LDAP calls.
Are you using ADQuery?

0 Kudos
rogergh
Explorer
‎2021-10-21 11:44 AM
In response to PhoneBoy

Yes, we have Active Directory Query activated, but we also have a collector up and running. Does Collector replace all functionality from AD Query? If yes, then I guess we could just disable it and not worry about this.

Running "adlog a dc" also gives the following error from the same DCs which gives RPC-warnings for Check Point: "connection had internal error [ntstatus = 0x80010111"

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-21 03:15 PM
In response to rogergh

They both do the same thing, albeit using entirely different mechanisms.
Identity Collector is a LOT more scalable and doesn't cause as much load on the Active Directory servers.

0 Kudos
Rich_Lichtenfel
Explorer
‎2022-02-15 11:27 AM
In response to PhoneBoy

Is there a way to fix this with AD Query?

0 Kudos
gyterpena
Explorer
‎2022-03-03 01:29 AM
In response to PhoneBoy

We use Identity Collector, but we have this error when we try to update rule base(Access Role) and this needs to pull list of users from "LDAP Account Units"(with "Active Directory Query" disabled)

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events