This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LM-Rafael
Collaborator
‎2025-01-08 01:53 PM
Jump to solution

CheckPoint Quantum 1600 Cluster stronger authentication required

Hi,

i have a quantum 1600 device which i need to authenticate against the new Windows Server 2025 AD Server. But i can only enter an IP Address and so is not possible to successfully connect my appliance with the LDAPS Windows Server. I get the error "Stronger authentication required". But i can enter only IP address, no Hostname or FQDN, and this is the reason the authentication fails against the AD Server.

What can i do to solve this issue?

Thanks for Help

Rafael

 

 

 

Preview file
33 KB
0 Kudos
44 Replies
ixy
Explorer
‎2025-07-10 06:35 PM
Jump to solution

Hi Everyone,

I am planning to build Windows Server 2025 for a new customer and set up authentication integration between the server and Quantum Spark for RA VPN.
However, based on this thread, it seems that this may not work properly yet.
I don’t have experience enabling the RADIUS server feature on Windows Server, so if authentication via RADIUS is possible as an alternative, I would like to consider that option.
Does anyone tried RADIUS authentication instead of LDAP?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2025-07-11 06:02 AM
In response to ixy
Jump to solution

See https://community.checkpoint.com/t5/General-Topics/Thales-Mandatory-Security-Update-STA-RADIUS-Serve...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-14 06:43 AM
In response to ixy
Jump to solution

Even if you use RADIUS for authentication, LDAP is still necessary to get information about user groups.

0 Kudos
itayravenna
Employee
Employee
a month ago
Jump to solution

@G_W_Albrecht @LM-Rafael @Tom_Hinoue 

Hi Guys,

 

Quick summary of the issue:
Starting with Windows Server 2025, Microsoft enforces LDAP signing and channel binding by default.
While earlier Windows Server versions allowed unsecured LDAP (simple bind without signing), Windows Server 2025 requires secure LDAP over SSL/TLS (LDAPS).

Since Quantum Spark appliances previously attempted LDAP communication without SSL, authentication failed due to missing certificate validation and channel binding enforcement.

We have now released a new Jumbo Hotfix (HFX) that adds support for LDAPS communication with Windows Server 2025.
This fix will also be included in our upcoming official release R82.x.

In the meantime, here are the Jumbo HFX download links:

After installation, run in clish:

set user-awareness ldaps true

On the Windows Server 2025 side, make sure a CA certificate is installed via Active Directory Certificate Services (AD CS).

Thank you all for your patience.

I’ll do my best to go back over the service requests from the past six months to make sure this fix reaches everyone who needs it.





Tom_Hinoue
Advisor
Advisor
a month ago
In response to itayravenna
Jump to solution

Hi @itayravenna 

Great news!
Is this fix only for the legacy AD Query, or does this fix also make Identity Collector to work also?

0 Kudos
itayravenna
Employee
Employee
a month ago
In response to Tom_Hinoue
Jump to solution

Hi @Tom 

I haven't tested that yet

0 Kudos
Tom_Hinoue
Advisor
Advisor
a month ago
In response to itayravenna
Jump to solution

Hi @itayravenna ,

The fix description (CLISH command) seems like it's only for the AD query... anyways I will test out both patterns.

0 Kudos
Tom_Hinoue
Advisor
Advisor
a month ago
In response to Tom_Hinoue
Jump to solution

Hi @itayravenna 

I tested the provided fix and confirmed the spark gateway can now connect to AD server using LDAPS(TCP/636). We don't see the "Stronger Authentication Required" warning any more 🙂

Any chance the CLISH parameter could be added to Device -> Advanced Settings so it could be configured via WEBUI or maybe a checkbox can be added when defining the AD server in IDA when we want to use LDAPS?


Also...we still have the issue where AD groups could not be read/fetched.
Does this occur on your side..? Related?

AD_fetch.jpeg

0 Kudos
itayravenna
Employee
Employee
4 weeks ago
In response to Tom_Hinoue
Jump to solution

Hi @Tom_Hinoue 

I think an advanced parameter will be added on the 82 official release, there will also be a UI agreement to fill.

Not sure about the groups issue... didn't happen on my end.

G_W_Albrecht
Legend Legend
Legend
a month ago
In response to itayravenna
Jump to solution

This firmware  is currently not available in Infinity SMP Portal - can you please add it to the SMP or provide the Customer Hotfix Firmware ID !

And: is the fix from sk183884 also included here ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
itayravenna
Employee
Employee
a month ago
In response to G_W_Albrecht
Jump to solution

Hi @G_W_Albrecht 

You can add them yourself to your SMP account.

Go to Plan / GW Object -> Services -> Firmware ->  Add Customer Hotfix Firmware
The firmware ID is in the link of the specific download, for example:
https://support.checkpoint.com/results/download/139514?fw1_vx_dep_R81_10_17_996004708.img

As for sk183884 - Since its also a JHX, I don't think it's included. but I'm double checking this internally with RnD

0 Kudos
G_W_Albrecht
Legend Legend
Legend
a month ago
In response to itayravenna
Jump to solution

Great! Thank you.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
a month ago
In response to itayravenna
Jump to solution

@itayravenna  - any news about sk183884 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
4 weeks ago
In response to itayravenna
Jump to solution

Seems to be included- in SR# i asked if R81_10_17 Build 996004708 that adds support for LDAPS communication with Windows Server 2025 and R81.10.17 Build 996004654 including the Update Required for VPN/Remote Access Security Gateways Using DigiCert/GeoTrust CA by Sep 8, 2025 is included in R81.10.17 build 996004710 for empty URLF Categories tab and learned that Previous fixes are already included in this jumbo hotfix (with build 996004710) and it also includes DigiCert fix as well.

So the fix from sk183884 should be included here, too…

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
a month ago
In response to itayravenna
Jump to solution

Some questions remain:

- what about IA on GAiA ? According to R&D, this issue is present on all CP products using IA.

- what about the new 25x0 SMBs ?

- is there finally a SK to document the issue, or only a simple email and a CheckMates topic ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events