This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
checkpointer
Participant
‎2023-05-02 08:39 AM

AD query failing for identity Awareness

 

Hello Team,

We have recently had to rebuild our r77.30 firewall (due to a failed upgrade attempt, SMS is already r81).

We have connectivity from r77.30 gw to our RSA server but get the following error:

AD Query.JPG

 

We have tried several sets of creds which we know to be correct (i.e. admin level) but continue to get this error message.

Can anyone help please?

Labels
0 Kudos
7 Replies
Matt_Ricketts
Employee
Employee
‎2023-05-02 09:08 AM

For simplicity, the service account you use with the IDA should be a Domain Admin. It is possible to use a non-Domain Admin account, but then you need to start doing schema updates and changes within your Domain. Not familiar with pointing IDA at a RSA server vs a domain/domain controller.

Also do need to point out that R77.30 has been End of Support for a while now. R80.40 is our oldest/supported version with R81.10 being our Recommended version.

0 Kudos
checkpointer
Participant
‎2023-05-02 04:00 PM
In response to Matt_Ricketts

Thanks Matt, the account we are testing with are both Domain Admin. 

0 Kudos
Matt_Ricketts
Employee
Employee
‎2023-05-02 04:57 PM
In response to checkpointer

Windows Server 2016 or 2019? Microsoft changed things within Windows Server 2022 and my IDA wouldn't authenticate anymore. I changed to the Identity Collector at that point. IDC is moving towards being the recommended method going forward too.

0 Kudos
the_rock
Legend
Legend
‎2023-05-02 11:12 AM

Put it this way...as @Matt_Ricketts said, R77.30 has been unsupported way before Covid-19 I think, but regardless, even if you were on R55 or R81.20 version, you HAVE TO use domain account with full admin privileges to make this work. I spent way too many hours with TAC on the phone going through sk93938 and we could never get that working...ever.

https://support.checkpoint.com/results/sk/sk93938

Andy

0 Kudos
checkpointer
Participant
‎2023-05-02 04:01 PM
In response to the_rock

Thanks Rock, the accounts we are testing with are domain accounts with full admin privileges.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-03 10:55 AM

In response to various security vulnerabilities, Microsoft has made numerous changes to WMI.
This effectively "breaks" ADQuery and we've been recommending people move to Identity Collector for some time.
For details on Identity Collector, see: https://support.checkpoint.com/results/sk/sk108235
Yes, you can run Identity Collector under R77.30, but it's been End of Support for other three years now.

0 Kudos
the_rock
Legend
Legend
‎2023-05-03 11:01 AM
In response to PhoneBoy

Excellent point indeed...I had customer who was hesitant to move to IDC, but once I gave them all the good reasons to and they saw issues with windows updates on their AD server, they finally accepted to move away from AD query and are super content now with identity collector, no issues on 3 months since the change.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top