Solved: Re: CheckPoint Quantum 1600 Cluster stronger authe... - Page 2

LM-Rafael · ‎2025-01-08

Hi,

i have a quantum 1600 device which i need to authenticate against the new Windows Server 2025 AD Server. But i can only enter an IP Address and so is not possible to successfully connect my appliance with the LDAPS Windows Server. I get the error "Stronger authentication required". But i can enter only IP address, no Hostname or FQDN, and this is the reason the authentication fails against the AD Server.

What can i do to solve this issue?

Thanks for Help

Rafael

ixy · ‎2025-07-10

Hi Everyone,

I am planning to build Windows Server 2025 for a new customer and set up authentication integration between the server and Quantum Spark for RA VPN.
However, based on this thread, it seems that this may not work properly yet.
I don’t have experience enabling the RADIUS server feature on Windows Server, so if authentication via RADIUS is possible as an alternative, I would like to consider that option.
Does anyone tried RADIUS authentication instead of LDAP?

G_W_Albrecht · ‎2025-07-11

See https://community.checkpoint.com/t5/General-Topics/Thales-Mandatory-Security-Update-STA-RADIUS-Serve...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2025-07-14

Even if you use RADIUS for authentication, LDAP is still necessary to get information about user groups.

itayravenna

@G_W_Albrecht @LM-Rafael @Tom_Hinoue

Hi Guys,

Quick summary of the issue:
Starting with Windows Server 2025, Microsoft enforces LDAP signing and channel binding by default.
While earlier Windows Server versions allowed unsecured LDAP (simple bind without signing), Windows Server 2025 requires secure LDAP over SSL/TLS (LDAPS).

Since Quantum Spark appliances previously attempted LDAP communication without SSL, authentication failed due to missing certificate validation and channel binding enforcement.

We have now released a new Jumbo Hotfix (HFX) that adds support for LDAPS communication with Windows Server 2025.
This fix will also be included in our upcoming official release R82.x.

In the meantime, here are the Jumbo HFX download links:

After installation, run in clish:

set user-awareness ldaps true

On the Windows Server 2025 side, make sure a CA certificate is installed via Active Directory Certificate Services (AD CS).

Thank you all for your patience.

I’ll do my best to go back over the service requests from the past six months to make sure this fix reaches everyone who needs it.

Tom_Hinoue

Hi @itayravenna

Great news!
Is this fix only for the legacy AD Query, or does this fix also make Identity Collector to work also?

itayravenna

Hi @Tom

I haven't tested that yet

Tom_Hinoue

Hi @itayravenna ,

The fix description (CLISH command) seems like it's only for the AD query... anyways I will test out both patterns.

Tom_Hinoue

Hi @itayravenna

I tested the provided fix and confirmed the spark gateway can now connect to AD server using LDAPS(TCP/636). We don't see the "Stronger Authentication Required" warning any more 🙂

Any chance the CLISH parameter could be added to Device -> Advanced Settings so it could be configured via WEBUI or maybe a checkbox can be added when defining the AD server in IDA when we want to use LDAPS?

Also...we still have the issue where AD groups could not be read/fetched.
Does this occur on your side..? Related?

itayravenna

Hi @Tom_Hinoue

I think an advanced parameter will be added on the 82 official release, there will also be a UI agreement to fill.

Not sure about the groups issue... didn't happen on my end.

G_W_Albrecht

This firmware is currently not available in Infinity SMP Portal - can you please add it to the SMP or provide the Customer Hotfix Firmware ID !

And: is the fix from sk183884 also included here ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

itayravenna

Hi @G_W_Albrecht

You can add them yourself to your SMP account.

Go to Plan / GW Object -> Services -> Firmware -> Add Customer Hotfix Firmware
The firmware ID is in the link of the specific download, for example:
https://support.checkpoint.com/results/download/139514?fw1_vx_dep_R81_10_17_996004708.img

As for sk183884 - Since its also a JHX, I don't think it's included. but I'm double checking this internally with RnD

G_W_Albrecht

Great! Thank you.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht

@itayravenna - any news about sk183884 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht

Seems to be included- in SR# i asked if R81_10_17 Build 996004708 that adds support for LDAPS communication with Windows Server 2025 and R81.10.17 Build 996004654 including the Update Required for VPN/Remote Access Security Gateways Using DigiCert/GeoTrust CA by Sep 8, 2025 is included in R81.10.17 build 996004710 for empty URLF Categories tab and learned that Previous fixes are already included in this jumbo hotfix (with build 996004710) and it also includes DigiCert fix as well.

So the fix from sk183884 should be included here, too…

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht

Some questions remain:

- what about IA on GAiA ? According to R&D, this issue is present on all CP products using IA.

- what about the new 25x0 SMBs ?

- is there finally a SK to document the issue, or only a simple email and a CheckMates topic ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

CheckPoint Quantum 1600 Cluster stronger authentication required