Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
johnyb
Explorer

dentity Collector (Active Directory) - Identity Propagation Failed Login

Dear All,

i discovered a few days that the majority of the Identity Awareness events from "Identity Collector (Active Directory)"

are followed by Authentication Status "Failed Login".

 
 

Any clues what might is wrong?

MAny Thanks,

YV

0 Kudos
6 Replies
Sorin_Gogean
Advisor

Hey, 

 

First, blur your LogServerOrigin - if it matters or not.

Now, do you get the error on the "Failed Log In" or on any identity records ?!?!?!?!

We had that in the past, and all we did was to drop the SSL HASH from the LDAP objects. 

That happened because AD Team changed certificates on their servers... so it will fail since the fingerprint/hash doesn't match anymore .

(see the sk156853 and you will get it, JUST!!!!! leave the Fingerprint empty !!!!! )

This is how an "Failed Log In" looks for us - as you can see the machine was identified properly in AD and mapped to AD groups.

Untitled.png

0 Kudos
Sorin_Gogean
Advisor

PS:

See this (Check-Point-LDAPS-connection-breaks-everytime-AD-certificate-is) and others similar - just search LDAPs in the CheckMates Forum.

0 Kudos
johnyb
Explorer

What about this error message from the windows event log :

The server-side authentication level policy does not allow the user AAAAAA SID (S-1-5-21-000000000000) from address XX.XX.XX.XX to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application.

The above belongs to Management server trying to access the domain controller.

0 Kudos
Sorin_Gogean
Advisor

There are a ton of writings out-there in regards to the error you presented.

Seems more like an AD issue or account rights or a protocol change in the communication - didn't dig up too much.

 

Tnx,

PS: have you cleared the AD server SSL HASH from the LDAP objects ?

0 Kudos
johnyb
Explorer

no not yet i will have to raise a TAC.

 

0 Kudos
Sorin_Gogean
Advisor

Is that required for a change in your environment, or you referred to TAC as CheckPoint TAC ?

 

You see in your logs some AD group retrieval errors and like we've seen it in the past, one of the problems was the fact that the SSL certificate was changed on AD servers, was changed.

In order to overcome that, all you have to do is to drop the Fingerprint from the LDAP objects, so they will not fail if the SSL cert changes in the future.

 

Thank you,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events