This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Croston
Explorer
‎2020-04-24 08:37 AM

Kerberos Transparent Auth with multiple domains and server 2012

For a number of years we have been happily using Kerberos Transparent Auth SSO. We have multiple domains around the world.

This continues to work fine for existing gateways. We use the identity agent and with browser based sso as a backup.

So each domain would have the SPN for the gateway and the ckp_pdp registered. Has worked fine - for years.

The problem we have regards new gateways that we want to have registered in AD. Previously in a server 2008 AD environment you could have duplicate SPN's in a forest - ie so each domain can have the new firewall registered.

On server 2012 AD controllers the use of SPN -a has been depreciated and the SPN has to be unique in the forest. This means that we cannot register the new gateway in each domain.

Has anyone else encountered this - we want to stick with the identity agent, and no identity collectors or AD query.

How did you address this situation. It has only recently been an issue as we have a couple of new gateways and the last of the old 2008 AD controllers have now gone.

Thanks

 

 

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-04-27 06:11 PM

Is the fact the same SPN is used with both domains the issue?
Tagging @Royi_Priov.

0 Kudos
Simon_Croston
Explorer
‎2020-04-28 04:34 AM
In response to PhoneBoy

Yes when you add the SPN -a it used to bypass the check on duplicate entries in the forest. In Server 2012 this has been changed it checks for duplicates anyway.

This same SPN needs to be added in each domain for SSO to work. 

So yes the issue is that the same SPN's are used in each domain.

Works ok now - as the SPN's are already there.

However when we get a new firewall with a new name in a different location - we will have a problem for Kerberos SSO as it stands.

 

 

 

 

0 Kudos
Simon_Croston
Explorer
‎2020-05-04 05:53 AM
In response to Simon_Croston

Any update on this?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events