Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FredrikV
Contributor
Jump to solution

ID Agent automatic login

Hi,

We have about 12k users in a single Active Directory domain. Identity Awareness is under implementation, and we need to get the ID agent to automatically pick up the logged in users. In another words, no manual input of credentials after logging into Windows.

I read about the Transparent Kerberos Authentication, and also the SSO feature of the LDAP account unit which requires a SPN to be configured in the AD.

Are those things what I'm looking for to to achive this? I'm not a Microsoft expert so any tips and suggestions are welcome.

 

Thanks

Regards, Fredrik

0 Kudos
1 Solution

Accepted Solutions
Tobias_Moritz
Advisor

Just to make sure you did not misunderstand me: I am not working for Check Point. The software we are developing to extend Check Point Identity Awareness agent approach to other client platforms is not approved or supported by Check Point at all. We are just a Check Point customer, who uses the official available and documented Check Point API.

To your question: When you are not using captive portal, then setting one single service principle name (ckp_pdp/domain) for the AD account specified in LDAP account unit "Active Directory SSO configuration" is enough. Just take care of the ticket encryption method. Based on your Check Point version, there are different ways to set it to modern crypto. See sk111945 or Identity Awareness Admin Guide for your version.

View solution in original post

0 Kudos
6 Replies
_Val_
Admin
Admin

Did you look into sk88520?

0 Kudos
FredrikV
Contributor

Briefly in the past. We first built the solution with ID collector, but that didn't work in the end with the customers requirements.

We are now using Identity Broker pairs in both access and aggregation layers in conjunction with DNS loadbalancing to be able to handle the masses and maintain scalability. The design is developed and approved by CP SEs and RnD.

I don't think that sk88520 is mentioning anything about transparent login for ID agent.

0 Kudos
Tobias_Moritz
Advisor

Yes, "Transparent Kerberos Authentication, and also the SSO feature of the LDAP account unit which requires a SPN to be configured in the AD" are exactly the things you have to look at.

We are using it that way and it works like a charm for many years now.

Unfortunatly Windows only, because Identity Agent for MacOS has no Kerberos support and Check Point does not provide an Identity Agent for Linux at all.

If Windows-only is a problem for you: We are currently developing our own Identity Agent for Linux with Kerberos support, let it connect to our own Identity Server for all the session handling which then updates Check Points Gateway (pdpd) using its official Identity Web API. Maybe we should even port it to MacOS, because of the missing Kerberos support in the original client.

0 Kudos
FredrikV
Contributor

Thank you Tobias! Awesome that you took your time to reply.

We are aware that the solution currently is very Microsoft focused, but that limitation seems to be ok considering the end users are on Windows computers for the most part anyway. For Linux the firewalling will be based on IP addresses only.

Great news though that you are looking to expand the functionality over several platforms!

One last question. I'm not sure we are using captive portal for anything right now. Does that means we don't need the HTTP/HTTPS based "Kerberos Transparent Authentication" specifically? And can rely only on the SSO service account with SPN configured? I would like to better understand the difference here.

Regards, Fredrik

0 Kudos
Tobias_Moritz
Advisor

Just to make sure you did not misunderstand me: I am not working for Check Point. The software we are developing to extend Check Point Identity Awareness agent approach to other client platforms is not approved or supported by Check Point at all. We are just a Check Point customer, who uses the official available and documented Check Point API.

To your question: When you are not using captive portal, then setting one single service principle name (ckp_pdp/domain) for the AD account specified in LDAP account unit "Active Directory SSO configuration" is enough. Just take care of the ticket encryption method. Based on your Check Point version, there are different ways to set it to modern crypto. See sk111945 or Identity Awareness Admin Guide for your version.

0 Kudos
FredrikV
Contributor

Sure, I thought so already, but it's great that you are able to extend functionality based on native APIs. Maybe Check Point one day can adopt your solution and offer the agent for a wide range of supported platforms.

Anyway, I got it to work yesterday after some collaboration with the Active Directory guys. As you mentioned, the encryption had to be adjusted after getting a "General Kerberos Error" in the agent log. After a short review of the cached TGTs on the Windows computer (with the klist command) it was obviously a crypto mismatch.

Thank you very much for your explanations!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events