Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wang
Collaborator

Unable to add new AD users to user access role after upgrade to R80.10

Hello, which engineer has encountered this problem, can you help to solve it?

0 Kudos
17 Replies
Mark_Mitchell
Advisor

Hi Zhen,

Have you tried re-entering the password for the account you are using under the LDAP account unit configuration?

Also the account you are using to access AD is the account unlocked?

Regards

Mark

0 Kudos
Wang
Collaborator

Hi,Mark

Hello, the current password is the password of the account being used, and the account has been unlocked. I can use the remote desktop of windowns to connect to the AD domain server

Regards

Zhen

0 Kudos
Mark_Mitchell
Advisor

Hi Zhen,

Have you tried re-entering the password into the configuration? Only reason I ask is that I have had similar experiences when pasting a password into the password fields. It populates the field, but actually keeps locking the account out.

It may be worth a shot? Another thing I would look for is the correct entry on the "Login DN" for the account you are using 

It may be worth presenting your LDAP account unit config so we can take a look. 

From what you have said the account you are using is a domain admin? 

Regards

Mark

0 Kudos
Wang
Collaborator

Hi,Mark

Hello, is this way of writing correct?

Regards

Zhen

0 Kudos
Mark_Mitchell
Advisor

Hi Zhen,

The login DN looks correct. Although I would recommend not using the built in administrator account. I would always create a "service account" for this purpose. That doesn't have more permissions than are needed for the account role. 

Did you attempt to re-enter the password?

Regards

Mark

0 Kudos
Wang
Collaborator

Hi,Mark

The password has been reentered,Now this account has been upgraded to have administrator privileges, there is still an error

Regards

Zhen

 

0 Kudos
Mark_Mitchell
Advisor

Thanks Zhen. Are there any errors within the logs using the below query.

Blade:"Identity Awareness".

Regards

Mark

0 Kudos
Wang
Collaborator

Hi,Mark

Regards

Zhen

0 Kudos
Mark_Mitchell
Advisor

Can you confirm that you can perform a native ldap query against the DC outside of Check Point with the account that you are performing the action with?

If you can, this confirms that your AD Domain Controller and account are adequate for LDAP. If the ldap bind fails outside of Check Point, this may indicate an issue with the domain controller. 

Regards

Mark

0 Kudos
Maarten_Sjouw
Champion
Champion

Is there a FW between the management server and the AD server?

Second to that do you have a rule allowing the gateway to access the AD server? As the log says check SK58881.

Last question, is your management a Multi Domain server?

Regards, Maarten
Wang
Collaborator

Hello, there is no FW between them. Secondly, there are rules that allow gateway to access AD server. Secondly, instead of multi-domain server, a DNS is set up on the server

0 Kudos
Maarten_Sjouw
Champion
Champion

Has this ever worked?

Does the user have full admin rights? Did anyone change anything there?

Regards, Maarten
0 Kudos
Wang
Collaborator

  • The user has administrative rights, and nothing else has changed

0 Kudos
Mark_Mitchell
Advisor

Hi Zhen, 

If everything checks on from an Active Directory domain controller point of view and the Check Point configuration is also correct (time, DNS servers, domain) etc. It then may be quicker to raise a call with TAC to investigate further. 

Regards

Mark

0 Kudos
Wang
Collaborator

Thank you very much

0 Kudos
Sukru_isik
Contributor

Can you check the time,are DC and checkpoint times same? 

0 Kudos
Karel_Mate
Participant

Hi,

 

Have you resolve this issue? Can you share the solution you have made? My client is experiencing this issue also.

 

Thanks,

Karel

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events