This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Herman
Contributor
‎2022-03-20 10:11 AM

Activate Identity Awareness

Hello community,
When I tried activate IA with AD Query, I got error message "User is not a domain administrator as such AD Query will not work".
But I using admin account with right credentials. Environment clusterXL R81.10, windows server 2012 R2.
What can be checked to understand where the problem is? 

111.jpg

 



0 Kudos
9 Replies
G_W_Albrecht
Legend Legend
Legend
‎2022-03-20 10:57 AM

See sk86441: ATRG: Identity Awareness !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Don_Paterson
Advisor
Advisor
‎2022-03-23 09:30 AM

Have just seen this issue in a lab environment with the same issue (account is Enterprise Administrator etc.).
Installing a different policy fixed it.

Not sure yet what the problem is but at the moment but suspect HTTPS Inspection could be causing it or Application Control or URLF blade. HTTPS Inspection policy was last updated.

Edit: Also R81.10, no JHFA 30 installed yet.

Edit2: Windows Server 2016 Standard

Rgds,

Don

the_rock
Legend
Legend
‎2022-03-23 09:36 AM

I saw this once before when I was on site with a customer and we just created another admin account and then it all worked. I really never got a good explanation from TAC why this would happen...

0 Kudos
Don_Paterson
Advisor
Advisor
‎2022-03-23 09:43 AM
In response to the_rock

We tried that and it failed for us. New AD admin and same groups (Enterprise admins etc.) with no luck.#

0 Kudos
the_rock
Legend
Legend
‎2022-03-23 09:46 AM
In response to Don_Paterson

Maybe we got lucky that time, not sure, but thats what worked. I could be wrong when I say this, but from what I recall n old days, you never had to use admin account, but maybe that changed in R80 +.

Ruan_Kotze
Advisor
‎2022-03-23 10:01 AM

Have seen this happen when the AD domain is configured to only allow NTLMv2.

Check Point recommends using Identity Collector as the identity source instead of AD Query - any chance you can switch to using that?  Seems using ADQ will only get more challenging in the future - check out sk176148.

Don_Paterson
Advisor
Advisor
‎2022-03-23 10:02 AM
In response to Ruan_Kotze

Good call. That would be my recommendation too, 

0 Kudos
Herman
Contributor
‎2022-03-23 10:07 AM

Hi guys, many thanks for advice.
I catch this issue in my lab environment not production, I don't know what was it, but I reinstall windows server and it was resolve. 
Regarding Identity Collector I know, but for some tests needed exactly AD Query.

timdude
Explorer
‎2024-02-11 06:24 AM

Just encountered the exact same issue with a fresh Win2022 Server lab installation.

The error messages when trying to connect the AD are quite useful: they tell you if it can't reach the ADC, if the credentials are wrong or if the domain can't be found.

Thus, if you see this "User is not a domain administrator as such AD Query will not work" message, it's most likely not a connection/lack of policies issue.

Also keep in mind that the initial connectivity test is made from the SmartConsole's machine instead of from the GW.

However, in my case after installing all the Windows updates and couple reboots, the connection eventually worked.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top