Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
checkpointer
Participant

AD query failing for identity Awareness

 

Hello Team,

We have recently had to rebuild our r77.30 firewall (due to a failed upgrade attempt, SMS is already r81).

We have connectivity from r77.30 gw to our RSA server but get the following error:

AD Query.JPG

 

We have tried several sets of creds which we know to be correct (i.e. admin level) but continue to get this error message.

Can anyone help please?

0 Kudos
7 Replies
Matt_Ricketts
Employee
Employee

For simplicity, the service account you use with the IDA should be a Domain Admin. It is possible to use a non-Domain Admin account, but then you need to start doing schema updates and changes within your Domain. Not familiar with pointing IDA at a RSA server vs a domain/domain controller.

Also do need to point out that R77.30 has been End of Support for a while now. R80.40 is our oldest/supported version with R81.10 being our Recommended version.

0 Kudos
checkpointer
Participant

Thanks Matt, the account we are testing with are both Domain Admin. 

0 Kudos
Matt_Ricketts
Employee
Employee

Windows Server 2016 or 2019? Microsoft changed things within Windows Server 2022 and my IDA wouldn't authenticate anymore. I changed to the Identity Collector at that point. IDC is moving towards being the recommended method going forward too.

0 Kudos
the_rock
Legend
Legend

Put it this way...as @Matt_Ricketts said, R77.30 has been unsupported way before Covid-19 I think, but regardless, even if you were on R55 or R81.20 version, you HAVE TO use domain account with full admin privileges to make this work. I spent way too many hours with TAC on the phone going through sk93938 and we could never get that working...ever.

https://support.checkpoint.com/results/sk/sk93938

Andy

0 Kudos
checkpointer
Participant

Thanks Rock, the accounts we are testing with are domain accounts with full admin privileges.

0 Kudos
PhoneBoy
Admin
Admin

In response to various security vulnerabilities, Microsoft has made numerous changes to WMI.
This effectively "breaks" ADQuery and we've been recommending people move to Identity Collector for some time.
For details on Identity Collector, see: https://support.checkpoint.com/results/sk/sk108235
Yes, you can run Identity Collector under R77.30, but it's been End of Support for other three years now.

0 Kudos
the_rock
Legend
Legend

Excellent point indeed...I had customer who was hesitant to move to IDC, but once I gave them all the good reasons to and they saw issues with windows updates on their AD server, they finally accepted to move away from AD query and are super content now with identity collector, no issues on 3 months since the change.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events