This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kilian_Huber
Contributor
‎2023-03-02 05:35 AM
Jump to solution

Secure Domain Logon with certificate based authentication

Hi CheckMates,

when trying to use Secure Domain Logon with certificate based authentication (E86.26 client), the Secure Domain Logon dialogue does not offer any certificate to be chosen as shown in the screenshot below:

EPS-SDL.jpg

The user certificate store contains a certificate for the user which should be authenticated and the computer certificate store contains a machine certificate.

When skipping SDL and logging in with cached credentials, and then manually establishing a VPN connection, the user's certificate is correctly fetched via CAPI and certificate authentication is successful.

Any idea on how to troubleshoot why no certificate is available in the SDL authentication dialogue?

Thanks!

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-03-02 12:30 PM
In response to Kilian_Huber
Jump to solution

CAPI certificates cannot be used for SDL.
This is in the documentation: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN... 

View solution in original post

7 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-03-02 05:47 AM
Jump to solution

Is this an EPS client with TP blades ? sk146712

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Kilian_Huber
Contributor
‎2023-03-02 05:52 AM
In response to G_W_Albrecht
Jump to solution

It is an Endpoint Security Client, yes, but the FDE blade is not installed.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-03-02 06:36 AM
In response to Kilian_Huber
Jump to solution

So i would suggest TAC...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-02 05:55 AM
Jump to solution

I don’t believe SDL is necessary for this.
See: https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-Have-Remote-Access-VPN-Tunnel-Before-Us...

0 Kudos
Kilian_Huber
Contributor
‎2023-03-02 06:44 AM
In response to PhoneBoy
Jump to solution

The machine certificate was just a test to see if I could select this certificate from the drop down list on the SDL window since I don't see the user certificate either. I do not actually want to use machine based authentication; all endpoints already have a user certificates rolled out and this should be used for authentication. IMHO this should be working since the user authenticates to Windows before the SDL window appears, therefore the personal certificate store should be accessible.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-02 12:30 PM
In response to Kilian_Huber
Jump to solution

CAPI certificates cannot be used for SDL.
This is in the documentation: https://sc1.checkpoint.com/documents/RemoteAccessClients_forWindows_AdminGuide/Content/Topics-RA-VPN... 

Kilian_Huber
Contributor
‎2023-03-02 12:42 PM
In response to PhoneBoy
Jump to solution

Ouch, I missed this. Thanks a lot!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events