Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Us4r
Contributor

Checkpoint Identity Agent: UserName Identification Problem on specific Users

Hello,

 

currently we deploy checkpoint identity Agent in our enviroment.

 

On most Users it's working like expected but on some users only Machine Information will be set after user login but the user account won't be detected:

 

cp-ida-issue.JPG

 

If I logon on the same computer with another ActiveDirectory User Account then this user account will be detected from the agent.

 

What can be the problem there and how can I debug this issue?

 

Regards

 

 

Florian

0 Kudos
5 Replies
G_W_Albrecht
Legend
Legend

0 Kudos
Us4r
Contributor

Hello,

 

it looks like it's really a specific Problem of the active directory UserAccount. If this useraccount tries to logon on another compuer also the user won't be authenticated using kerberos.

 

Anything else how I can debug this issue? Can this be something like a permission problem on the user Account in the active directory?

0 Kudos
dehaasm
Collaborator

We had same issues has probably something to do with Kerberos ticket size for some users, in the pdp logs you might see PDPD (TD::Critical)] pdp::NACUrlProtocol::DataReceived: data length: 48578 ,exceeds the maximum of: 40974, try adjusting ccc_max_msg_size with DBedit tool, follow sk66087 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

0 Kudos
David_M_Almas
Contributor

Hi!

I'm deploying Identity Agent in our environment (VSX HA cluster in R81.10) and we're having exactly the same issue.

Did you managed to have a closure for this?

 

thanx!

0 Kudos
David_M_Almas
Contributor

For future reference.

-----------------------------------------------------------------------

After reporting this issue to TAC, they noticed this error in the IA Agent logs:

[PDPD (TD::Critical)] pdp::NACUrlProtocol::DataReceived: data length: 9923 ,exceeds the maximum of: 8196

 

We then proceeded to increase the value ccc_max_msg_size using the following procedure (as always, please don't forget to perform a backup):

  1. Connect with SmartConsole to the Security Management Server / Domain Management Server.
  2. In the top left corner, click Menu > Database Revision Control > create a revision snapshot.

Note: Database Revision Control is not supported for VSX objects (sk65420) and Endpoint Security Servers. Instead, if running SMS/DMS in a virtual machine perform a snapshot prior to the following procedure.

In addition, refer to:

Close all SmartConsole windows.

Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.

  1. Connect with GuiDBedit Tool to the Security Management Server / Domain Management Server.
  2. In the upper left pane, go to Table > Network Objects > network_objects.
  3. In the upper right pane, select the relevant Gateway or Cluster object.
  4. Press CTRL+F (or go to Search menu > Find) > paste ccc_max_msg_size > click Find Next.
  5. In the lower pane, right-click on the ccc_max_msg_size > select Edit > select "65535" > click OK.
  6. Save the changes: go to the File menu > click Save All.
  7. Close the GuiDBedit Tool.
  8. Connect with SmartConsole to the Security Management Server / Domain Management Server.
  9. Install the Security Policy onto the applicable Security Gateway / Cluster / VSX Virtual System object.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events