Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Silver

Identity Awareness, password rotation, and gMSA (Group Managed Service Accounts)

A feature request for ID Awareness - to simplify password rotations on service accounts for Identity Collector or even LDAP account units, it would be great to see support for gMSAs (Group Managed Service Accounts).  These handle the password rotation automatically, and securely.

Until then, however, any recommendations for ID Awareness / Identity Collector for password rotation without impacting service?

0 Kudos
4 Replies
Highlighted
Silver

Does anyone have any thoughts around password rotation of the LDAP Account Unit service accounts in a way that minimizes impact to an Identity Collector setup?  I'm guessing anyone that logs in during the password change process will not get any group information tied to their authentications, and policy will not work well with them.

Even worse, would be what happened here...

Any ideas to minimize the impact, other than setting the password to never expire?

0 Kudos
Highlighted
Admin
Admin

This gets into the whole "should we change passwords at all" debate.
Assuming the password is complex and long enough, I would personally say...no.
I assume the "safest" way to change the password would be to do it during an outage window.
0 Kudos
Highlighted
Silver

While I understand where you are coming from, and mostly agree in this instance, we live in a world where Security policy often requires fairly frequent password rotations of service accounts.  Therefore, anything Checkpoint can do to minimize the impact of those rotations would be helpful.

I can avoid an outage on the Identity Collector side by using 2 IDC servers and 2 different accounts that rotate separately.  However, the LDAP account unit is the bigger pain point as changing it will cause an outage for some users.  Anything Checkpoint can do to eliminate that would be helpful.

As to your suggestion to do it safely in an "outage window" the whole point of having redundancy in clusters, multiple identity collector servers, etc is to avoid an outage completely.  Now I have to try to sell to management an outage every X number of months based on the Security policy currently in effect.  That is a tough sell to a 24x7 operation.

0 Kudos
Highlighted
Admin
Admin

The LDAP lookup actually happens on the gateway to change passwords.
To change that requires a Security Policy push, which may create its own service impact.
0 Kudos