This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vonsakfilip
Explorer
‎2023-01-13 12:07 AM

Problem with authentification users on Terminal agent MUHv2

Hi all

I have problem with authentification users on terminal agent. I have windows server 2022 where is installed MUH agent v2. Agent send identities to PDP Gateway. PDP gateway is cluster HA (active/standby). Users and machines are authentificated by kerberos SSO and it works. Identity agent for windows authetificate user and machine by kerberos but terminal agent use authentification trust for users and kerberos for machine.  The problem : when node 2 is active everything works (users are authentificated) but when I switch node 1 to active, authentification trust for users doesnt work. Kerberos for machine works but user is not authentificated. Pdp debug log and terminal agent log: 

pdp::UserPasswordAuthenticator::DoneFetchAsync: failed to fetch authentication data for ******. Request ID: . external error: 6 external Error Description: An error was detected while trying to authenticate against the AD server.

I also find log from AD and there is login success for user. Connection from terminal agent to PDP GW works (443), terminal agent is connected but user on node 1 is not able authentificate.

PDP gw log: An error was detected while trying to authenticate against the AD server.
It may be a problem of bad configuration or connectivity.
Please refer to the troubleshooting guide for more help

Security GW:  R81.10 take 335

Thanks

Labels
0 Kudos
3 Replies
Vincent_Bacher
Advisor
Advisor
‎2023-01-13 12:38 AM

In such cases the first and easiest step i always do is to perform a ldapsearch on the cli of the gateway to see if it's able to communicate with the AD server.

Edit: Just enabled pdpd debug on a test pdp device and see that Async messages are shown when the gateway connects to the ldap au (ad server) to fetch the users information (group membership and so on).
To do this, the gateway has to connect to the ldap au and to authenticate and fetch users info.
Maybe anything does not work at this stage.
Maybe i am wrong, it's still too early in the morning for me 🙂

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
vonsakfilip
Explorer
‎2023-01-13 01:46 AM
In response to Vincent_Bacher

I dont see any problem with AD. Both GW are able authentificate machine and users with kerberos on identity agents. I have only problem with node1 in cluster, node2 works fine. Cluster have same configuration a ip address from same subnet. Connection to AD is correct. The problem have only terminal agent on one node of cluster. GW use same account to communicate with AD.

 

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2023-01-13 02:24 AM
In response to vonsakfilip

I had only used this log entry

pdp::UserPasswordAuthenticator::DoneFetchAsync: failed to fetch authentication data for ******. Request ID: . external error: 6 external Error Description: An error was detected while trying to authenticate against the AD server.

suspects that there might be a communication problem between the cluster node and the AD server. Since you obviously know better than me, I take it all back and wish you good luck 😉

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events