- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Identity Collector - Identity Sources configur...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Identity Collector - Identity Sources configuration
So i'm preparing to move from AD query to Identity Collector.
Installed the software on 2 domain controllers for redundancy.
All working fine for the domain controller on which the software is installed, but the other one is not.
"Unable to connect, please check connectivity ....."
Actually, i added our 4 DC as identity sources but only planning to install IC on 2 of them since this is enough for redundancy purpose.
Are you supposed to only add the DC where Identity Collector has been installed on, as identity source?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it figured out 🙂
The issue was Windows Firewall blocking dynamic ports communication between DCs, once we opened that up, everything became green and connected.
Advice to Checkpoint: please add this in the documentation of Identity Collector as a note (Windows Firewall rule which needs to allow incoming DCOM ports communication between DCs) so people don't have to loose too much time troubleshooting this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should be able to add all of them actually. Did you check connectivity with other 3?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They are all in the same subnet so i would assume this would have been a no brainer. Seems not 😊
So on one DC, let's say DC4 in my case, i should be able to see events from all 4 DC, that's what you are saying?
Then i'm asking myself what is blocking this.....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree, specially if its same subnet : - ). How did you add them? Manually or option "fetch automatically"?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"fetch automatically" is how i added them
If i double click on the identity source where IC is installed, it passes the test and connection is fine.
If i double click on any other identity source where IC is not installed on, it fails the test with the message "unable to connect, please check"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me confirm with client we did this for, as they also have 4 DCs I believe and all shows fine, but IC is only installed on one of them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is what customer told me as the answer to my question if he remembered if we did automatic or manual...
"I can’t recall but I think it found all of them. I know it pulled the wrong info (site name) and I had to manually enter that."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it figured out 🙂
The issue was Windows Firewall blocking dynamic ports communication between DCs, once we opened that up, everything became green and connected.
Advice to Checkpoint: please add this in the documentation of Identity Collector as a note (Windows Firewall rule which needs to allow incoming DCOM ports communication between DCs) so people don't have to loose too much time troubleshooting this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for sharing the solution, @Dave
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good old Windows : - ). Thanks a lot for letting us know, it will help others, for sure!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, the story doesn't end here because another issue popped up.
So i had foreseen to run identity collector as a service under another service account, freshly created and with the domain user permissions, user is part of group 'Event Log Readers' group.
As soon as i run cpidc.exe as a service and under this new service account, everything stops working, all identity sources are yellow and no identities are collected anymore.
When i remove the service account and let the service run under my domain admin account, everthing changes instantly to green again and identities are collected.
This for sure has to do with user rights in Windows, but it seems like having a domain user with group membership of 'Event Log Readers' group is not enough?
Please help me understand what i'm missing 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most probably the permissions mismatch. If you looked through sk108235 and sk179544 and did not find the trigger for the issue, I would advise engaging with TAC to drill down.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes permission issue most probably, only hard to find what's missing...
This simple domain user account, should it also need to be part of the 'Distributed DCOM users' group?
Or the 'Event Log Readers' group should be enough?