This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jennyado
Collaborator
Tuesday

Enabling AD password expiration warning/change and SupportOldSchema impact in an MDS enviornment

Hello community,

I am reviewing the configuration to allow Active Directory users to receive a warning and change their password from the Check Point VPN Client before their password expires, according to SKs sk33404 and sk89841.

I have an MDS environment, and I want to apply this configuration within a domain where I have 3 LDAP Account Units, but I intend to enable this functionality only on one of them so that VPN users can change their password through the client.

According to the documentation, the steps include:

  1. Enable in Global Properties → User Directory the option
    “Enable Password change when a user's Active Directory password expires”
    (some articles indicate this is also required to allow password change before expiration).

  2. Ensure the LDAP Account Unit is using the Microsoft_AD profile with:

    • SSL enabled (TCP 636)

    • Write data to this server enabled

    • DN with sufficient permissions to modify passwords

  3. If the AD does not have the Check Point LDAP schema extended, configure in GuiDBedit:

     
    Tables > Managed Objects > LDAP > Microsoft_AD > Common SupportOldSchema = 1

  4. (Optional, according to SK33404) In the LDAP Account Unit object where the change will be applied:

    • IsPasswordWarning = True

    • PasswordWarningTime = <number of days>

    • UseNativePwdParams = True

  5. 💡 My questions:

    1. SupportOldSchema interpretation:

      • If the AD does not have the extended schema → SupportOldSchema = 1

      • If the AD does have the extended schema → SupportOldSchema = 0
        Is this correct?

    2. Impact on other LDAP Account Units in the same domain:

      • Does enabling “Enable Password change when a user's AD password expires” on one LDAP Account Unit affect the other two LDAP Account Units?

      • Could changing SupportOldSchema on this LDAP Account Unit impact authentication or user queries for the other LDAP Account Units using the Microsoft_AD profile?

    3. Scope of warning parameters:

      • If I apply IsPasswordWarning, PasswordWarningTime, and UseNativePwdParams only to this LDAP Account Unit, does this affect any of the other LDAP Account Units that are not modified?

      • Will the other LDAP Account Units continue authenticating normally without any additional changes?

    4. Impact on VPN and active sessions:

      • Could enabling these changes on this LDAP Account Unit interrupt or log out active VPN users authenticating against this AD?

      • In other words, is it safe to enable these options in a production MDS environment without affecting existing sessions on other LDAP Account Units?

    Any confirmation or practical experience with this configuration would be greatly appreciated — especially in MDS environments with multiple LDAP Account Units and VPN users authenticating simultaneously.

    Thanks in advance 🙌

0 Kudos
6 Replies
the_rock
MVP Gold
MVP Gold
Tuesday

Oldschema parameter option, you got that right. Does not affect other ldap account units if changed on one and no, ALREADY logged users would stay logged in.

Best,

Andy

Best,
Andy
(1)
the_rock
MVP Gold
MVP Gold
yesterday
In response to the_rock

@jennyado 

I dont sadly have lab access atm as Im in Africa, but what I mentioned is my previous experience.

Best,

Andy

Best,
Andy
(1)
jennyado
Collaborator
yesterday
In response to the_rock

Thanks a lot for the reply — really appreciate you taking the time to share your experience, especially while abroad! 🌍
Your confirmation about the impact on other LDAP Account Units and active VPN users was super helpful.

Just to clarify one last thing:
When setting the SupportOldSchema value in

Tables > Managed Objects > LDAP > Microsoft_AD > Common

SupportOldSchema.png

it looks like this parameter applies to the Microsoft_AD profile itself, not to each individual LDAP Account Unit.

If that’s correct, then all LDAP Account Units that use this same profile would inherit that value, right?
I’m currently checking with the AD team whether their directory is using the extended Check Point schema or not, so I just want to confirm if changing this parameter would affect all LDAP Account Units in the domain that use the Microsoft_AD profile.

Would you confirm if this behavior is global per profile, and if creating a duplicate profile (for example, “Microsoft_AD_NoSchema”) would be the proper way to isolate it if needed?

Thanks again for your help and time!

0 Kudos
the_rock
MVP Gold
MVP Gold
yesterday
In response to jennyado

Its no issue, raining here like crazy, so nothing better to do haha. Im sure that setting would indeed affect all account units. I do know one customer who added no schema value and it worked for them, but this was while ago, might be worth confirming with TAC.

Best,

Andy

Best,
Andy
(1)
jennyado
Collaborator
yesterday
In response to the_rock

Thanks a lot for your help and for taking the time to reply — really appreciate it!
I’ve already opened a TAC case to confirm how that behavior works in the latest versions, just to be fully sure before applying any change.

Enjoy the rest of your vacation (hopefully the rain lets up soon)! 🌧😄
Thanks again for the support!

the_rock
MVP Gold
MVP Gold
yesterday
In response to jennyado

Thank you! Yes, rain stopped, but its 1 am here, time to sleep lol

Cheers,

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events