This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
johnyb
Explorer
‎2022-05-22 10:03 PM

dentity Collector (Active Directory) - Identity Propagation Failed Login

Dear All,

i discovered a few days that the majority of the Identity Awareness events from "Identity Collector (Active Directory)"

are followed by Authentication Status "Failed Login".

 
 

Any clues what might is wrong?

MAny Thanks,

YV

Preview file
81 KB
0 Kudos
6 Replies
Sorin_Gogean
Advisor
‎2022-05-23 12:38 AM

Hey, 

 

First, blur your LogServerOrigin - if it matters or not.

Now, do you get the error on the "Failed Log In" or on any identity records ?!?!?!?!

We had that in the past, and all we did was to drop the SSL HASH from the LDAP objects. 

That happened because AD Team changed certificates on their servers... so it will fail since the fingerprint/hash doesn't match anymore .

(see the sk156853 and you will get it, JUST!!!!! leave the Fingerprint empty !!!!! )

This is how an "Failed Log In" looks for us - as you can see the machine was identified properly in AD and mapped to AD groups.

Untitled.png

0 Kudos
Sorin_Gogean
Advisor
‎2022-05-23 12:40 AM
In response to Sorin_Gogean

PS:

See this (Check-Point-LDAPS-connection-breaks-everytime-AD-certificate-is) and others similar - just search LDAPs in the CheckMates Forum.

0 Kudos
johnyb
Explorer
‎2022-05-24 01:22 AM
In response to Sorin_Gogean

What about this error message from the windows event log :

The server-side authentication level policy does not allow the user AAAAAA SID (S-1-5-21-000000000000) from address XX.XX.XX.XX to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

The above belongs to Management server trying to access the domain controller.

0 Kudos
Sorin_Gogean
Advisor
‎2022-05-24 01:20 PM
In response to johnyb

There are a ton of writings out-there in regards to the error you presented.

Seems more like an AD issue or account rights or a protocol change in the communication - didn't dig up too much.

 

Tnx,

PS: have you cleared the AD server SSL HASH from the LDAP objects ?

0 Kudos
johnyb
Explorer
‎2022-05-24 07:14 PM
In response to Sorin_Gogean

no not yet i will have to raise a TAC.

 

0 Kudos
Sorin_Gogean
Advisor
‎2022-05-25 01:41 AM
In response to johnyb

Is that required for a change in your environment, or you referred to TAC as CheckPoint TAC ?

 

You see in your logs some AD group retrieval errors and like we've seen it in the past, one of the problems was the fact that the SSL certificate was changed on AD servers, was changed.

In order to overcome that, all you have to do is to drop the Fingerprint from the LDAP objects, so they will not fail if the SSL cert changes in the future.

 

Thank you,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events